Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is two vulnerability-----SQL INJECTION AND AN DOWNLOAD FILES WITHOUT LIMIT #5

Closed
kerlingcode opened this issue May 24, 2018 · 3 comments

Comments

@kerlingcode
Copy link

1.SQL INJECTION

In the controller file applocation\admin\controller\AdminLog.php
in the function index
code line 28-33

        if (isset($this->param['user_id']) && ($this->param['user_id']) > 0) {
            $page_param['query']['user_id'] = $this->param['user_id'];
            $where_user                       = $this->param['user_id'];
            $logs->where('user_id=' . $where_user);
            $this->assign('user_id', $this->param['user_id']);
        }

the parameter named user_id without any filter.then just bring into the MYSQL query.
After use the demo account demo demo login in your app,
and then using the payload -- admin/admin_log/index.html?user_id=1+updatexml(1,concat(0x7e,(version())),0) we can get the version of your MYSQL . that's the testing on your demo website.
img1

2. download files without any limit

in the file

application\admin\controller\databack.php

In the function __construct ,line 16-29

    public function __construct()
    {
        parent::__construct();
        $this->config = Config::get("database");

        $this->config['savepath'] = ROOT_PATH . 'backup/';
        if(!is_dir($this->config['savepath'])){
            @mkdir($this->config['savepath']);
        }
        $this->config['filename'] = "database-backup-" . date("Y-m-d-H-i-s", time()) . ".sql";

        $this->back     = new DataBackup($this->config);
        $this->filename = isset($this->param['name']) ? $this->param['name'] : '';
    }

from the code we know that the parameter "name " is from the GET method.and without any limit
let's take a look at the code line 61-64

    public function download()
    {
        $this->back->downloadFile($this->filename);
    }

$this->back is defined in the file \extend\tools\DataBackup.php line115-128

    public function downloadFile($fileName)
    {
        $fileName = $this->config['savepath'] . $fileName;
        if (file_exists($fileName)) {
            ob_end_clean();
            header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
            header('Content-Description: File Transfer');
            header('Content-Type: application/octet-stream');
            header('Content-Length: ' . filesize($fileName));
            header('Content-Disposition: attachment; filename=' . basename($fileName));
            return readfile($fileName);
        }
        return $this->error('文件不存在');
    }

the dowloadfile function haven't any filters.
So i deploy the apps on local,after login we try the poc url /admin/databack/download.html?name=../application/database.php
qq 20180524205750
We can read the config file of mysql account and the password

@yupoxiong
Copy link
Owner

The problem has been fixed, thank you!

@NicoleG25
Copy link

The problem has been fixed, thank you!

Could you please specify where the fix was made?
Thank you :)

@yupoxiong
Copy link
Owner

The problem has been fixed, thank you!

Could you please specify where the fix was made?
Thank you :)

The one
The code is currently on the thinkphp5.0 branch.
You can view the relevant code in lines 29-31 of the applocation\admin\controller\AdminLog.php file.

The two
You can view the relevant code in lines 21 and 63-66 of the applocation\admin\controller\Databack.php file.
Related code files:
/extend/tools/DataBackup.php, line 117.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants