Qi Bo CMS variable coverage leads to sql injection vulnerability analysis report-vulnerability warning-the black bar safety net

ID MYHACK58:62201560083
Type myhack58
Reporter 佚名
Modified 2015-03-19T00:00:00


Blog post author: Alibaba security research lab—supporting su

Release date: 2015-3-10 Blog post content: The recent Alibaba security research laboratory vulnerability monitoring system to monitor attendance Bo cms exist high-risk vulnerabilities that can lead to SQL vulnerability and thus affect the server security. Monitoring system to monitor the possible presence of variable overwrite vulnerability of the place, as follows: ! 1.jpg

0x01 analysis

By monitoring the system probably surmised, the repair by the$_FILES caused by variable overwrite vulnerability. 漏洞 文件 在 /inc/common.inc.php the. File use@extract($_FILES,EXTR_SKIP)to register the$_FILES variables, and use EXTR_SKIP to control overwriting the existing variable. Therefore, we need to use the variable overwrite vulnerability, you'll need to look for a late initialization of the variables on the line. Global variables file of the GPC variables of the filter:

$_POST=Add_S($_POST); $_GET=Add_S($_GET); $_COOKIE=Add_S($_COOKIE); function Add_S($array){ foreach($array as $key=>$value){ @eregi("['\\"&]+",$key) && die('ERROR KEY!'); if(! is_array($value)){ $value=str_replace("","& # x",$value); //filter some unsafe characters $value=preg_replace("/eval/i","eva l",$value); //filter unsafe function ! get_magic_quotes_gpc() && $value=addslashes($value); $array[$key]=$value; }else{ $array[$key]=Add_S($array[$key]); } } return $array; }

From the foregoing, through the$_FILE transfer of value, POST the content by the GPC effect, and therefore can only use$_FILE variable$key bypass add_S function. Here,$_FILS in the passed parameter, is an array, so you can default to using$_FILES the$key to cover.

! 2.jpg

Therefore, we only need to find one of the last initialization of the array, and by taking the numerical value of the points intoSQL injection. Here an arbitrary one point as an example:/member/comment.php the.

if($job=='del'){ foreach( $cidDB AS $key=>$value){ var_dump($mei); $rs=$db->get_one("SELECT aid FROM {$pre}comment WHERE cid='$value'"); $erp=get_id_table($rs[aid]); $rsdb=$db->get_one("SELECT C. cid,C. uid AS commentuid,C. aid,A. uid,A. fid FROM {$pre}comment C LEFT JOIN {$pre}article$erp A ON C. aid=A. aid WHERE C. cid='$value'"); if($rsdb[uid]==$lfjuid||$rsdb[commentuid]==$lfjuid||$web_admin||in_array($rsdb[fid],$fiddb)){ $db->query("DELETE FROM {$pre}comment WHERE cid='$rsdb[cid]'"); } $db->query("UPDATE {$pre}article$erp SET comments=comments-1 WHERE aid='$rsdb[aid]'"); } refreshto("$FROMURL","delete success",0); }

$cidDB variables at the end of the initialization. $value the value directly into the query, leading tosql injection.

! 3.jpg

0x02 use

The structure of the$_FILE variable covering structure to cover the$cidDB variables, POST给/member/comment.php the. End: ! 4.jpg