Qibo CMS SQL injection vulnerability learning

WBOY
Release: 2016-08-08 09:27:17
Original
1532 people have browsed it

Today I saw an article on vulnerability analysis of a cms on asrc (http://security.alibaba.com/blog/blog.htm?spm=0.0.0.0.96tpib&id=13 ), and I feel like Ali Daniel is still a little cautious when writing vulnerability analysis, let alone the method of utilization.

I searched this CMS on Baidu, and the usage is still quite large. I don’t know much about PHP, so I briefly studied it and summarized how to use it.

The cause of the vulnerability is this code in inc/common.inc.php:

if(!ini_get('register_globals')){
	@extract($_FILES,EXTR_SKIP);
}
Copy after login

The meaning of this code is to convert the $_Files request array received by php into some variables. And we know that these variables will not be escaped by magic quotes.

Look at the member/comment.php file again, the following code:

if($job=='del'){
      foreach( $cidDB AS $key=>$value){
		$rs=$db->get_one("SELECT aid FROM {$pre}comment WHERE cid='$value'");
		$erp=get_id_table($rs[aid]);
		$rsdb=$db->get_one("SELECT C.cid,C.uid AS commentuid,C.aid,A.uid,A.fid FROM {$pre}comment C LEFT JOIN {$pre}article$erp A ON C.aid=A.aid WHERE C.cid='$value'");
		if($rsdb[uid]==$lfjuid||$rsdb[commentuid]==$lfjuid||$web_admin||in_array($rsdb[fid],$fiddb)){
			$db->query("DELETE FROM {$pre}comment WHERE cid='$rsdb[cid]'");
		}
		$db->query("UPDATE {$pre}article$erp SET comments=comments-1 WHERE aid='$rsdb[aid]'");
	}
	refreshto("$FROMURL","删除成功",0);
}
Copy after login

Where the variable $cidDB should be the id of the comment obtained from the URL through the get method, and then spelled into the sql statement for execution sql.

But because comment.php refers to common.inc.php and $cidDB is not initialized, here we can use the variables in $_Files to directly assign a value to $cidDB without escaping.

POC: 不 is actually not a POC, it is a simple way of use.

                                                                                                                                                        out out out out of Named: 1' union select version() and '1'='1

Then submit the upload and you can see the return result:

This way A more troublesome problem is: Since the value is stored in two SQL statements, the columns of the two statements are different, so an error will be reported when using union here, and the only way is blind injection. Or you can look for uninitialized variables elsewhere.



Size: 55.3 KB

Size: 26.1 KB

View picture attachment

The above introduces the learning of SQL injection vulnerabilities in Qibo CMS, including the relevant aspects. I hope it will be helpful to friends who are interested in PHP tutorials.

  • Qibo CMS SQL injection vulnerability learning
Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template