0x01 SQL Injection of function check() & delete() in CommentadminController.class.php
The vulnerability is located in the check/delete method of /application/Comment/Controller/CommentadminController.class.php.In line 62, $_POST['ids'] parameter is passed to the where statement after the join() function, but Instead of using the in method of the where clause, it is directly spliced into the SQL statement, resulting in SQL injection.The vulnerability needs manager privilege.
POC:
http://127.0.0.1/cmfx/index.php?g=Comment&m=commentadmin&a=check&check=1POST: ids[]=1&ids[]=2 and updatexml(1,concat(0x7e,(SELECT user()),0x7e),1)
0x02 SQL Injection of function edit_post() in NavController.class.php
In line 173 of application/Admin/Controller/NavController.class.php,$parentid is passed directly by $_POST['parentid'] and then stitched directly into the where statement.The vulnerability needs manager privilege.
POC:
http://127.0.0.1/cmfx/index.php?g=Admin&m=nav&a=edit_postPOST: parentid=1 and updatexml(1,concat(0x7e,(SELECT user()),0x7e),1)
0x03 SQL Injection of function delete() in SlideController.class.php
In line 93 of application/Admin/Controller/SlideController.class.php, $_POST['ids'] is converted to a string by the implode method, and then directly spliced into the in clause of the where statement.The vulnerability needs manager privilege.
POC
http://127.0.0.1/cmfx/index.php?g=Admin&m=slide&a=deletePOST: ids[]=1&ids[]=0 and updatexml(1, concat(0x7e,user(),0x7e),1)
0x04 SQL Injection of function _listorders() in AdminbaseController.class.php
The _listorders method is used for sorting and is called in many places. Here is an example of listorders() in application/Admin/Controller/LinkController.class.php, which is mainly used for sorting of friendship links. We hit the breakpoint with phpstorm+phpstudy+xdebug and track it step by step. The vulnerability needs manager privilege. POC is
http://127.0.0.1/cmfx/index.php?g=Admin&m=Link&a=listordersPOST: listorders[key][0]=exp&listorders[key][1]=0 and updatexml(1, concat(0x7e,user(),0),1)
First enter the listorders method of application/Admin/Controller/LinkController.class.php line 70, and line 71 calls the parent class's _listorders() method.
Follow the _listorders() method of application/Admin/Controller/LinkController.class.php in line 166, $_POST['listorders'] is passed to to $ids as a two-dimensional array.After foreach loop, input payload $data is still a two-dimensional array.
Following the save() method of simplewind/Core/Library/Think/Model.class.php line 396, which is the core function of thinkphp. Since $data is not empty, many of the previous judgments are skipped to line 452. $data and $options are passed to the update method, and $data is still a two-dimensional array.
Following the update() method of simplewind/Core/Library/Think/Db/Driver.class.php in line 893. $data is spliced into $sql after the parseSet method. Following the definition parseSet method, after $data passes the foreach loop, $val becomes a one-dimensional array, and $key is the key value. When $val is an array and the first element of the array is exp, $val[1] will be directly spliced with $key to $set, and array $set is spliced to the SET statement after the methmod implode.
Return to the update method, the SET clause is spliced into $sql, and the final executed sql statement is
0x05 SQL Injection of method edit_post in ArticleController.class.php
ThinkCMF X2.2.2 is based on ThinkPHP 3.2.3.There is a bind injection before the ThinkPHP 3.x version, and this vulnerability is a typical case of ThinkPHP3.x injection. The vulnerability only needs normal user previlige. The POC is as follows:
http://127.0.0.1/cmfx/index.php?g=portal&m=article&a=edit_postPOST: post[id][0]=bind&post[id][1]=0 and updatexml(1, concat(0x7e,user(),0x7e),1)-- -
The text was updated successfully, but these errors were encountered:
0x01 SQL Injection of function check() & delete() in CommentadminController.class.php
The vulnerability is located in the

check/deletemethod of/application/Comment/Controller/CommentadminController.class.php.In line 62,$_POST['ids']parameter is passed to the where statement after the join() function, but Instead of using theinmethod of the where clause, it is directly spliced into the SQL statement, resulting in SQL injection.The vulnerability needs manager privilege.0x02 SQL Injection of function edit_post() in NavController.class.php
In line 173 of
application/Admin/Controller/NavController.class.php,$parentidis passed directly by$_POST['parentid']and then stitched directly into the where statement.The vulnerability needs manager privilege.0x03 SQL Injection of function delete() in SlideController.class.php
In line 93 of
application/Admin/Controller/SlideController.class.php,$_POST['ids']is converted to a string by theimplodemethod, and then directly spliced into the in clause of the where statement.The vulnerability needs manager privilege.0x04 SQL Injection of function _listorders() in AdminbaseController.class.php
The
_listordersmethod is used for sorting and is called in many places. Here is an example oflistorders()inapplication/Admin/Controller/LinkController.class.php, which is mainly used for sorting of friendship links. We hit the breakpoint with phpstorm+phpstudy+xdebug and track it step by step. The vulnerability needs manager privilege. POC isFirst enter the
listordersmethod ofapplication/Admin/Controller/LinkController.class.phpline 70, and line 71 calls the parent class's_listorders()method.Follow the
_listorders()method ofapplication/Admin/Controller/LinkController.class.phpin line 166,$_POST['listorders']is passed to to $ids as a two-dimensional array.After foreach loop, input payload $data is still a two-dimensional array.Following the save() method of
simplewind/Core/Library/Think/Model.class.phpline 396, which is the core function of thinkphp. Since $data is not empty, many of the previous judgments are skipped to line 452. $data and $options are passed to theupdatemethod, and $data is still a two-dimensional array.Following the update() method of
simplewind/Core/Library/Think/Db/Driver.class.phpin line 893. $data is spliced into $sql after theparseSetmethod. Following the definitionparseSetmethod, after $data passes the foreach loop, $val becomes a one-dimensional array, and $key is the key value. When $val is an array and the first element of the array isexp, $val[1] will be directly spliced with $key to $set, and array $set is spliced to the SET statement after the methmodimplode.Return to the update method, the SET clause is spliced into $sql, and the final executed sql statement is
0x05 SQL Injection of method edit_post in ArticleController.class.php
ThinkCMF X2.2.2 is based on ThinkPHP 3.2.3.There is a
bindinjection before the ThinkPHP 3.x version, and this vulnerability is a typical case of ThinkPHP3.x injection. The vulnerability only needs normal user previlige. The POC is as follows:The text was updated successfully, but these errors were encountered: