Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

lmxcms v1.4.1 Front page sql injection #3

Open
jspring996 opened this issue Mar 9, 2023 · 0 comments
Open

lmxcms v1.4.1 Front page sql injection #3

jspring996 opened this issue Mar 9, 2023 · 0 comments

Comments

@jspring996
Copy link
Owner

This is the message page of the front desk
image

Find the back-end code through the front page. The ischeck is to judge whether the content of the message is displayed on the page. There are several key functions in the picture.
Function call flow:
index() calls checkDate()
checkDate() calls the filter_strs($_POST) function to filter strings
checkDate() calls the p() function again to prevent injection
The p() function calls the filter_sql() function to filter the reserved characters of mysql to prevent injection
Then index() continues execution and calls the add() function
The add() function calls the addModel() function in turn
addModel() function and then addDB() function
$sql in the addDB() function is an insert statement, where the value of $value comes from $data, and the value of $date is a parameter we can control.
image
image
image
image
image
image
image

Add echo $sql to output complete sql statement, which is convenient for constructing payload.
image

Packet analysis
image

After inserting the page, the message will not be displayed, only when ischeck=1 will it be displayed in the foreground
image
image

There are a lot of filtering functions in the previous code, but I found that these filtering functions only filter the 'value' in the array $data, but not the 'key', and the front page will echo only when ischeck=1 , so construct the payload and close the INSERT statement.
payload: name=x&mail=x&tel=x&content=x&setbook=%E6%8F%90%E4%BA%A4&ischeck=1&time)VALUES(user(),1,1,1,1,1,1);#=1
image
image

Protection Advice
Filter the keys in the array as well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant