CVE-2023-29598: lmxcms v1.4.1 Front page sql injection · Issue #3 · jspring996/PHPcodecms

This is the message page of the front desk

Find the back-end code through the front page. The ischeck is to judge whether the content of the message is displayed on the page. There are several key functions in the picture.
Function call flow:
index() calls checkDate()
checkDate() calls the filter_strs($_POST) function to filter strings
checkDate() calls the p() function again to prevent injection
The p() function calls the filter_sql() function to filter the reserved characters of mysql to prevent injection
Then index() continues execution and calls the add() function
The add() function calls the addModel() function in turn
addModel() function and then addDB() function
$sql in the addDB() function is an insert statement, where the value of $value comes from $data, and the value of $date is a parameter we can control.

Add echo $sql to output complete sql statement, which is convenient for constructing payload.

Packet analysis

After inserting the page, the message will not be displayed, only when ischeck=1 will it be displayed in the foreground

There are a lot of filtering functions in the previous code, but I found that these filtering functions only filter the ‘value’ in the array $data, but not the 'key’, and the front page will echo only when ischeck=1 , so construct the payload and close the INSERT statement.
payload: name=x&mail=x&tel=x&content=x&setbook=%E6%8F%90%E4%BA%A4&ischeck=1&time)VALUES(user(),1,1,1,1,1,1);#=1

Protection Advice
Filter the keys in the array as well