Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug Report: Time-based blind SQL injection Vulnerability in cszcms/core/MY_Security.php on cszcms-1.2.2 #19

Closed
4rog opened this issue Jun 19, 2019 · 4 comments

Comments

@4rog
Copy link

4rog commented Jun 19, 2019

Title: Time-based blind SQL injection Vulnerability in cszcms/core/MY_Security.php on cszcms-1.2.2
Discovered by: @satuer from ABT Labs
Security: high (dump database)
Software: https://github.com/cskaza/cszcms/archive/1.2.2.zip

Description:
There is a high-risk time-based SQL injection vulnerability on the frontend login page(http://website/cszcms-1.2.2/member/login/check). Exploit this vulnerability could dump the whole database without login.
When login in the frontend login page, if the csrf_csz parameter is removed or padded any string, a log will be recorded in the table 'login_logs' with reason 'CSRF Protection Invalid'. But the 'HTTP_USER_AGENT' field is used directly without any check when inserting the recorded. By constructing a special 'HTTP_USER_AGENT' field, this vulnerability can be exploited.

files: cszcms/core/MY_Security.php
微信截图_20190619211446

login page:
微信截图_20190619220158

login_logs:
微信截图_20190619220437

If remove the csrf_csz paramete and login again, a 'CSRF Protection Invalid' log will be recorded.
login_logs:
微信截图_20190619220942

Exploit:
constructe a HTTP_USER_AGENT, remove the csrf_csz parameter:
微信截图_20190619211804

User-Agent: '-( if( condition, sleep(5), 1) )-'', '192.168.1.11','time') #
If the condition is true, the page will return after 5 seconds, otherwise it will return immediately.

When UA is '-(if((substr((select email from user_admin limit 1), 1, 1)='1'),sleep(5),1))-'', '192.168.1.11','time') #
The sql string is INSERT INTO login_logs (email_login, note, result, user_agent, ip_address, timestamp_create) VALUES ('', 'CSRF Protection Invalid', 'CSRF_INVALID', ''-(if((substr((select email from user_admin limit 1),1,1)='1'),sleep(5),1))-'', '192.168.1.11','time') #', '192.168.62.1', '2019-06-19 21:17:34.000000')

The insert statement does not actually execute because the last column is not in the correct time format. But the sub select statement will execute, and the sleep will execute if condition is true.
微信截图_20190619214438

So, the records in the login_logs table will not increase. The IP will not be added to the blacklist and condition($count < 10 in line 45) is always true. Then you can dump whole database one by one byte.

Suggest:
Check UA before inserting UA into sql statement

@cskaza
Copy link
Owner

cskaza commented Jun 19, 2019

Can you download this file and extract all file from this file replace with old file?
https://www.cszcms.com/downloads/upgrade-1.2.3-rev1.zip

And try to test for exploit again.
Please tell me know the result.

Thanks for your security bug.

@4rog
Copy link
Author

4rog commented Jun 20, 2019

I replaced the old files with the new files and tried again, but unfortunately the problem still exists. And I checked your changes, I think using the xss_clean function couldn't solve the sql injection problem

It is recommended to use the function ‘escape-string ’ or 'real_escape_string' which escapes special characters in a string for use in an SQL statement or use prepare and bind_param...
https://www.php.net/manual/en/mysqli.real-escape-string.php
https://www.php.net/manual/en/mysqli.prepare.php

Use escape-string for test
微信截图_20190620094558

The injection string will be escaped, UA is recorded as a string in the log
微信截图_20190620095119

@cskaza
Copy link
Owner

cskaza commented Jun 20, 2019

Can you download this file and extract all file from this file replace with old file?
https://www.cszcms.com/downloads/upgrade-1.2.3-rev2.zip

And try to test for bug again.
Please tell me know the result.

Thanks for your security bug.

@4rog
Copy link
Author

4rog commented Jun 21, 2019

Verified, no longer work, thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants