PHPCMS V9 sys_auth()multiple SQL injection vulnerabilities-vulnerability warning-the black bar safety net

2011-09-18T00:00:00
ID MYHACK58:62201131864
Type myhack58
Reporter 佚名
Modified 2011-09-18T00:00:00

Description

by Flyh4t mail: phpsec#hotmail.com

A description of Syria: the

phpcms use sys_auth function plus decryption of the cookie information,system more files directly from the cookie in the Get variables into the program flow. Due to the sys_auth function in the design and use of the process in the presence of defects, resulting in registered users can fake cookie data, triggerSQL injectionand a plurality of secondary attacks.

Second analysis :

See sys_auth function code

[code]

//libs/functions/global.func.php function sys_auth($txt, $operation = "ENCODE", $key = "") { $key = $key ? $key : pc_base::load_config ('system', "because");

$txt = $operation == "ENCODE" ? (string)$txt : base64_decode($txt); $len = strlen($key); $code = ""; for($i=0; $i<strlen($txt); $i++){

$k = $i % $len; $code .= $txt[$i] ^ $key[$k]; } $code = $operation == "DECODE" ? $code : base64_encode($code); return $code; }

[/code]

By in$because^operation to achieve the purpose of encryption, the$because is system is installed randomly generate a length of 2 0 of the string. To forgery cookie variables need to know$because we look at how to get.

Registered user login process

[code] //phpcms/modules/member/index.php public function login() { ...... param::set_cookie("auth", $phpcms_auth, $cookietime); param::set_cookie("_userid", $userid, $cookietime); param::set_cookie("_username", $username, $cookietime); param::set_cookie("_groupid", $groupid, $cookietime); param::set_cookie("_nickname", $nickname, $cookietime); param::set_cookie("cookietime", $_cookietime, $cookietime); ......

//phpcms/libs/classes/param.class.php

public static function set_cookie($var, $value = "", $time = 0) { $time = $time > 0 ? $time : ($value == "" ? SYS_TIME - 3 6 0 0 : 0); $s = $_SERVER["SERVER_PORT"] == "4 4 3" ? 1 : 0; $var = pc_base::load_config ('system',"cookie_pre").$ var; $_COOKIE[$var] = $value; if (is_array($value)) { foreach($value as $k=>$v) { setcookie($var." [".$ k."]", sys_auth($v, "ENCODE"), $time, pc_base::load_config("system","cookie_path"), pc_base::load_config("system","cookie_domain"), $s); } } else { setcookie($var, sys_auth($value, "ENCODE"), $time, pc_base::load_config("system","cookie_path"), pc_base::load_config("system","cookie_domain"), $s); } } [/code]

As can be seen clearly, landing when $username by sys_auth function processing after assigning a value to the cookie. Well, below to register a username length is 1 to 9 characters, a maximum of 2 0, but need to have a\0, so in fact only 1 9)The user. After landing system to obtain a cookie inside the corresponding value, you can reverse calculate the$because of before 1 9 bit.

The inverse of the push function is as follows

[code]

function antisys_auth() { $txt = base64_decode(urldecode("your cookies are inside of value"); the $name = "your user name"; $len = 2 0; $key = ""; for($i=0; $i<strlen($txt); $i++){ $k = $i % $len; $key .= $txt[$i] ^ $name[$k]; } return $key; } [/code]

$because the rest of the last bit of how to get it? This is very simple, to find any one using the get_cookie()gets the variables and then enter the sql process place, The use of phpcms sql error mechanism, you can easily judge brute-force out the last bit.

[code]

public function halt($message = "", $sql = "") { $this->errormsg = "<b>MySQL Query : </b> $sql <br /><b> MySQL Error : </b>".$ this->error()." <br /> <b>MySQL Errno : </b>".$ this->errno()." <br /><b> Message : </b> $message <br /><a href="http://faq.phpcms.cn/?errno=".$ this->errno()."& amp;msg=". urlencode($this->error())."" target="_blank" style="color:red">Need Help?& lt;/a>"; $msg = $this->errormsg; echo "<div style="font-size:12px;text-align:left; border:1px solid #9cc9e0; padding:1px 4px;color:#0 0 0 0 0 0;font-family:Arial, Helvetica,sans-serif;"><span>".$ msg."& lt;/span></div>"; exit; }

[/code]

Third use :

EXP:missing