Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL code execution in bigtreecms 4.2.18 #292

Closed
xfkxfk opened this issue Jun 5, 2017 · 3 comments

Comments

Projects
None yet
2 participants
@xfkxfk
Copy link

commented Jun 5, 2017

Multiple Security Issue of SQL code execution exists in BigTree CMS Less than 4.2.18

FILE:
\BigTree-CMS-4.2.18\core\admin\modules\developer\extensions\install\process.php

	$manifest = json_decode(file_get_contents(SERVER_ROOT."cache/package/manifest.json"),true);

	// Insert the extension and growl
	$admin->installExtension($manifest);

continue installExtension() function
file:\BigTree-CMS-4.2.18\core\inc\bigtree\admin.php

function installExtension($manifest,$upgrade = false) {
			$bigtree["group_match"] = $bigtree["module_match"] = $bigtree["route_match"] = $bigtree["class_name_match"] = $bigtree["form_id_match"] = $bigtree["view_id_match"] = $bigtree["report_id_match"] = array();
			$extension = sqlescape($manifest["id"]);

			// Turn off foreign key checks so we can reference the extension before creating it
			sqlquery("SET foreign_key_checks = 0");

			// Upgrades drop existing modules, templates, etc -- we don't drop settings because they have user data
			if (is_array($upgrade)) {
				sqlquery("DELETE FROM bigtree_module_groups WHERE extension = '$extension'");
				sqlquery("DELETE FROM bigtree_modules WHERE extension = '$extension'");
				sqlquery("DELETE FROM bigtree_templates WHERE extension = '$extension'");
				sqlquery("DELETE FROM bigtree_callouts WHERE extension = '$extension'");
				sqlquery("DELETE FROM bigtree_field_types WHERE extension = '$extension'");
				sqlquery("DELETE FROM bigtree_feeds WHERE extension = '$extension'");

			// Import tables for new installs
			} else { 
				foreach ($manifest["components"]["tables"] as $table_name => $sql_statement) {
					sqlquery("DROP TABLE IF EXISTS `$table_name`");
                    var_dump($sql_statement);
					sqlquery($sql_statement);
				}
			}

Note here:

$manifest["components"]["tables"] as $table_name => $sql_statement
sqlquery($sql_statement);

we can execute any sql code at here.

POC:
1、build extension
2、Add modules, templates, callouts, field types, feeds, and settings to your extension.
3、Add additional files to your extension.
4、create extension
5、download extension(a zip file)
6、modify manifest.json content in extension(a zip file)
7、install extension(upload and install)
8、the sql code will be execute when install successful
Here we write a file to the web root directory:

"tables": {
"your_table_name": "SELECT '' into outfile 'd:/wamp/www/BigTree-CMS-4.2.18/shell.php'"
}

we can get the web root directory at here :
http://127.0.0.1/BigTree-CMS-4.2.18/site/index.php/admin/ajax/developer/extensions/file-browser/
when you select a file,then save-files,you can get the web root directory

sqlexec

The same vulnerability exists in the file \BigTree-CMS-4.2.18\core\admin\modules\developer\packages\install\process.php

thank you~
email : xfkxfk@secbook.net

@timbuckingham

This comment has been minimized.

Copy link
Collaborator

commented Jun 5, 2017

This is a feature and one that we don't consider a security hole. You must implicitly trust any package or extension you install as they all have the ability to write PHP files (and as they are PHP scripts could already remotely call the database and write to the file system).

@xfkxfk

This comment has been minimized.

Copy link
Author

commented Jun 5, 2017

When you install the package or extension must verify the contents of the file include, rather than the user to confirm their own. If you install a malicious file will be attacked.
If you want to execute sql code, it has to be limited, can not execute any sql code.

@timbuckingham

This comment has been minimized.

Copy link
Collaborator

commented Jun 5, 2017

Without signing extensions with a private key there's no way for the system to verify an extension hasn't been modified. If an extension has been modified then it's free to execute any PHP code it wants. Having the SQL inside the manifest or inside of sqlquery() calls in a PHP file included in the extension makes little difference. Extensions can already install files into the public root (inside /site/extensions/) so if you simply included a "shell.php" file inside of the /public/ folder in an extension it would be a much easier way to write a shell script than through the manifest SQL.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.