On the CMSMS SQL injection vulnerability in the reproduction and analysis and use-vulnerability and early warning-the black bar safety net

ID MYHACK58:62201994902
Type myhack58
Reporter 佚名
Modified 2019-07-06T00:00:00


CMS Made Simple(CMSMS)is a simple and convenient content management system which uses PHP, MySQL and Smarty template engine development, having a role-based rights management system, wizard-based installation and update mechanism, the system resources occupy less, while the included file management, News Publishing and RSS modules. In CMS Made Simple The experimental environment 1. Penetration of the host: Kali-Linux-2019.2-vm-i386 2. Target host: CN_Windows7_x86_sp1 3. Software version: CMS Made Simple 2.2.8 Relates to the tool 1. BurpSuite v1. 7. 36 2. python-2.7.15 3. Mozilla Firefox 60.6.2 Vulnerability reproduction 1. Vulnerability the URL is as follows:“http://server-ip/cmsms/moduleinterface.php?mact=News,m1_,default,0&m1_idlist=” When the parameter m1_idlist assigned a value of 1, the page show 6 on May 19, the news, cmsms page is as follows: ! When the parameter m1_idlist assigned a value of 2, the page show 6 月 24 news, cmsms page is as follows: ! Thus, when the parameters m1_idlist given a different value, the home page will display different news content, i.e. m1_idlist corresponding is news ID. 2. sqlmap scan 2.1 get the cookie Set Mozilla Firefox proxy to 127. 0. 0. 1:8080, is used to point to BurpSuite, and then in the browser to access the exploit URL, and then through BurpSuite HTTP history Find Cookies detailed information, as shown below: ! 2.2 binding Step 2. 1 access to the cookie using sqlmap on vulnerabilities in URL parameters m1_idlist for scan testing, sqlmap scan command is as follows: sqlmap-u ",m1_,default,0&m1_idlist=1" -p "m1_idlist" --cookie="CMSSESSID6ae120628fa8=v9rtmai3jn0bc4usje1o83c174" --dbms="MySQL" --level 3 --risk 3 2.3 wait for a long time, sqlmap scan results shown in the following figure(actually told me there is no vulnerability, alas, it seems that God also has a wonky time: the ! 3. Configuration statement test Due to the artifact of sqlmap out of alignment, we manually constructed the statement to confirm the vulnerability. Construct the following statement, and spliced into the parameter m1_idlist after: 0,1))and(case+when+(select+sleep(1)+from+cms_users+limit+1)+then+1+else+2+end)+--+ The first set of sleep parameters for the 1s, run the results shown in the following figure, you can see the server response time is 1141ms that 1. 141s: the ! Again, set the sleep parameter for the 5s, the operating results shown in the following figure, you can see the server response time is 5163ms that 5. 163s: the ! When setting the sleep parameters for the 10s, the server response time is 10184ms that 10. 184s in. Increasing the sleep parameter value, the response time is also gradually increased. It can be determined, in the parameter m1_idlist in the presence of time-based SQL blind injection vulnerability. Vulnerability analysis By analyzing the source code, we come to find out theSQL injectionthe vulnerability of the generating point, the issues related to the code as shown below: ! Above this code, the array elements cast to integer after, made a condition and an unset operation, seemingly to the variable idlist input to do the filtering and screening, in fact, then and eggs. The following is a test code to the detailed description, the code is as follows: $idlist = "0,1,2))and(case+when+(select+sleep(10)+from+cms_users+limit+1)+then+1+else+2+end)+--+ "; if( is_string($idlist) ) { $tmp = explode(',', $idlist); for ($i = 0; $i if( $tmp[$i], 1 ) unset($tmp[$i]); } $idlist = array_unique($tmp); foreach($idlist as $value){ echo $value; echo "\n"; } } ?& gt; This test code run the result as shown below: ! From the above figure it can be seen, the variable idlist”0”is filtered out, the”1”and“2))and(case+when+(select+sleep(10)+from+cms_users+limit+1)+then+1+else+2+end)+–+ ”is preserved, this description of the condition judgment and unset statements only plays part of the role. Why is this so? In the for loop, the first loop, since$tmp[0] Exploit 1. SQL blind vulnerabilities of the use of the program by constructing a specific SQL statement stitching to the exploit URL, and then determines the MySQL sleep duration, in order to enumerate the database of sensitive information. The program contains get_salt () and get_username(userid), get_email(userid), get_password(userid), crack_password (), the beautify_print()and main()and other components. Wherein get_salt()function to get by the system randomly generated salt value for crack_password()function to crack the user password; get_username(userid)function is used to obtain cmsms user name; get_email(userid)function is used to obtain the user corresponding to the mailbox; get_password(userid)function is used to obtain the corresponding user password, this password is a ciphertext; crack_password()function combined with the salt value, the ciphertext password and customize the dictionary to crack the password of the user. The program detailed code is as follows:

[1] [2] [3] [4] next