destoon 6.0 guestbook.php general sql injection vulnerability

Posted by tzul at 2020-02-24

Patch analysis

I just saw that today I released the update of destoon 6.0 2017-01-09. Using the method I mentioned in the code audit small secret circle, I found a SQL injection vulnerability that was fixed in an instant. Use 20 minutes at noon to analyze it.

Let's look at diff first:

In mobile / guestbook.php, delete $'u server ['http'user'agent ']. To analyze, here is the message board on the mobile terminal. Destoon puts the user agent of the user into the message content variable $post [content].

$_SERVER['HTTP_USER_AGENT'] $post[content]

As far as I know about destoon, GPC has been escaped and WAF globally, but user agent has not been filtered, so there may be a SQL injection vulnerability here.

So take a look at it later. It calls the add method of the guestbook class, passing the $post variable in:


Here, $this - > set ($post) is called for processing. Follow up:


Simple analysis shows that:

strip_tags htmlspecialchars trim in_array($post['type'], $TYPE) ? '['.$post['type'].']' : '' substr($post['content'], 30) addslashes trim

First look at the content. Because the htmlspecialchars in the destoon has set the ent_quotes parameter, the single quotation mark has also been escaped. We can't escape the single quotation mark directly, but because there is no escape, we can use content to eliminate a single quotation mark.


The following title intercepts 30 characters from content (leaving $post ['type '] blank), so we can probably construct such a content: user(), 0,0,0,0,0,2)\

$post['type'] ,user(),0,0,0,0,0,0,2);...\

The last executed SQL statement is as follows:

Loophole utilization

But there is a problem with the above SQL statement, because part of the original information -- from ',' 0 ',' 1484286570 ',' ',' 0 ',' 2 ',' 1484286570 ',' ',' 0 ',', '2') is discarded by us, and this part can't be annotated (because of line breaking). During the execution, errors will occur, leading to execution failure.


What shall I do?

In fact, the reason why it can't be executed here is that there is a newline character \ n, but because there is a substr ($post ['content '], 30) in front of it, we only need to set the length to be greater than 30 to cut the newline character.

substr($post['content'], 30)

So, my final payload is as follows: 0,0,0,0,0,0, user(), 3) the last bit of UA is set to \, as shown below:

,0,0,0,0,0,0,user(),3)########## \

You can successfully inject information in the reply position:

However, as you can see, there is a 30 character limit for this injection, so please pay attention to the following points:

Length limit bypass

[code audit] in the small secret circle, @ Yu proposes that the login user can actually inject the administrator account password.

We can see from the code in front of diff that the login user actually has many controllable fields:

For example, true name, telephone, email, QQ, MSN, Ali, Skype and so on, we only need to find the field which can control the content, and use the method of multiple field splicing to bypass the length limit. I won't go into details. If you are interested, you can go to see the POC given by @ rain.

Finally, I want to sigh about the previous method. The interesting point is that it is the same as many problems in CTF, but it is also so coincidental - coincidentally, the part in front of content has addslashes, and the last part has htmlspecialchars instead of addslashes. In other words, there is no single quotation mark at the back, but there is a backslash; there is no backslash at the front, but there is an extra single quotation mark. The combination of the two constitutes a SQL injection vulnerability.

Finally, please upgrade the 20170109 version as soon as possible to fix this vulnerability.

====Split line ====

At the bottom of the link, there is a way to add the [code audit] small secret circle: