On the CMSMS SQL injection vulnerability in the reproduction and analysis and use-vulnerability and early warning-the black bar safety net
2019-07-06T00:00:00
ID MYHACK58:62201994902 Type myhack58 Reporter 佚名 Modified 2019-07-06T00:00:00
Description
CMS Made Simple(CMSMS)is a simple and convenient content management system which uses PHP, MySQL and Smarty template engine development, having a role-based rights management system, wizard-based installation and update mechanism, the system resources occupy less, while the included file management, News Publishing and RSS modules. In CMS Made Simple
The experimental environment
1. Penetration of the host: Kali-Linux-2019.2-vm-i386
2. Target host: CN_Windows7_x86_sp1
3. Software version: CMS Made Simple 2.2.8
Relates to the tool
1. BurpSuite v1. 7. 36
2. python-2.7.15
3. Mozilla Firefox 60.6.2
Vulnerability reproduction
1. Vulnerability the URL is as follows:“http://server-ip/cmsms/moduleinterface.php?mact=News,m1_,default,0&m1_idlist=”
When the parameter m1_idlist assigned a value of 1, the page show 6 on May 19, the news, cmsms page is as follows:
!
When the parameter m1_idlist assigned a value of 2, the page show 6 月 24 news, cmsms page is as follows:
!
Thus, when the parameters m1_idlist given a different value, the home page will display different news content, i.e. m1_idlist corresponding is news ID.
2. sqlmap scan
2.1 get the cookie
Set Mozilla Firefox proxy to 127. 0. 0. 1:8080, is used to point to BurpSuite, and then in the browser to access the exploit URL, and then through BurpSuite HTTP history Find Cookies detailed information, as shown below:
!
2.2 binding Step 2. 1 access to the cookie using sqlmap on vulnerabilities in URL parameters m1_idlist for scan testing, sqlmap scan command is as follows:
sqlmap-u "http://192.168.188.140/cmsms/moduleinterface.php?mact=News,m1_,default,0&m1_idlist=1" -p "m1_idlist" --cookie="CMSSESSID6ae120628fa8=v9rtmai3jn0bc4usje1o83c174" --dbms="MySQL" --level 3 --risk 3
2.3 wait for a long time, sqlmap scan results shown in the following figure(actually told me there is no vulnerability, alas, it seems that God also has a wonky time: the
!
3. Configuration statement test
Due to the artifact of sqlmap out of alignment, we manually constructed the statement to confirm the vulnerability.
Construct the following statement, and spliced into the parameter m1_idlist after:
0,1))and(case+when+(select+sleep(1)+from+cms_users+limit+1)+then+1+else+2+end)+--+
The first set of sleep parameters for the 1s, run the results shown in the following figure, you can see the server response time is 1141ms that 1. 141s: the
!
Again, set the sleep parameter for the 5s, the operating results shown in the following figure, you can see the server response time is 5163ms that 5. 163s: the
!
When setting the sleep parameters for the 10s, the server response time is 10184ms that 10. 184s in. Increasing the sleep parameter value, the response time is also gradually increased. It can be determined, in the parameter m1_idlist in the presence of time-based SQL blind injection vulnerability.
Vulnerability analysis
By analyzing the source code, we come to find out theSQL injectionthe vulnerability of the generating point, the issues related to the code as shown below:
!
Above this code, the array elements cast to integer after, made a condition and an unset operation, seemingly to the variable idlist input to do the filtering and screening, in fact, then and eggs. The following is a test code to the detailed description, the code is as follows:
$idlist = "0,1,2))and(case+when+(select+sleep(10)+from+cms_users+limit+1)+then+1+else+2+end)+--+ ";
if( is_string($idlist) ) {
$tmp = explode(',', $idlist);
for ($i = 0; $i if( $tmp[$i], 1 )
unset($tmp[$i]);
}
$idlist = array_unique($tmp);
foreach($idlist as $value){
echo $value;
echo "\n";
}
}
?& gt;
This test code run the result as shown below:
!
From the above figure it can be seen, the variable idlist”0”is filtered out, the”1”and“2))and(case+when+(select+sleep(10)+from+cms_users+limit+1)+then+1+else+2+end)+–+ ”is preserved, this description of the condition judgment and unset statements only plays part of the role.
Why is this so? In the for loop, the first loop, since$tmp[0]
Exploit
1. SQL blind vulnerabilities of the use of the program by constructing a specific SQL statement stitching to the exploit URL, and then determines the MySQL sleep duration, in order to enumerate the database of sensitive information. The program contains get_salt () and get_username(userid), get_email(userid), get_password(userid), crack_password (), the beautify_print()and main()and other components. Wherein get_salt()function to get by the system randomly generated salt value for crack_password()function to crack the user password; get_username(userid)function is used to obtain cmsms user name; get_email(userid)function is used to obtain the user corresponding to the mailbox; get_password(userid)function is used to obtain the corresponding user password, this password is a ciphertext; crack_password()function combined with the salt value, the ciphertext password and customize the dictionary to crack the password of the user. The program detailed code is as follows:
{"id": "MYHACK58:62201994902", "bulletinFamily": "info", "title": "On the CMSMS SQL injection vulnerability in the reproduction and analysis and use-vulnerability and early warning-the black bar safety net", "description": "CMS Made Simple(CMSMS)is a simple and convenient content management system which uses PHP, MySQL and Smarty template engine development, having a role-based rights management system, wizard-based installation and update mechanism, the system resources occupy less, while the included file management, News Publishing and RSS modules. In CMS Made Simple \nThe experimental environment \n1. Penetration of the host: Kali-Linux-2019.2-vm-i386 \n2. Target host: CN_Windows7_x86_sp1 \n3. Software version: CMS Made Simple 2.2.8 \nRelates to the tool \n1. BurpSuite v1. 7. 36 \n2. python-2.7.15 \n3. Mozilla Firefox 60.6.2 \nVulnerability reproduction \n1\\. Vulnerability the URL is as follows:\u201chttp://server-ip/cmsms/moduleinterface.php?mact=News,m1_,default,0&m1_idlist=\u201d \nWhen the parameter m1_idlist assigned a value of 1, the page show 6 on May 19, the news, cmsms page is as follows: \n! [](/Article/UploadPic/2019-7/20197601859433. png) \nWhen the parameter m1_idlist assigned a value of 2, the page show 6 \u6708 24 news, cmsms page is as follows: \n! [](/Article/UploadPic/2019-7/20197601859486. png) \nThus, when the parameters m1_idlist given a different value, the home page will display different news content, i.e. m1_idlist corresponding is news ID. \n2\\. sqlmap scan \n2.1 get the cookie \nSet Mozilla Firefox proxy to 127. 0. 0. 1:8080, is used to point to BurpSuite, and then in the browser to access the exploit URL, and then through BurpSuite HTTP history Find Cookies detailed information, as shown below: \n! [](/Article/UploadPic/2019-7/20197601859153. png) \n2.2 binding Step 2. 1 access to the cookie using sqlmap on vulnerabilities in URL parameters m1_idlist for scan testing, sqlmap scan command is as follows: \nsqlmap-u \"http://192.168.188.140/cmsms/moduleinterface.php?mact=News,m1_,default,0&m1_idlist=1\" -p \"m1_idlist\" --cookie=\"CMSSESSID6ae120628fa8=v9rtmai3jn0bc4usje1o83c174\" --dbms=\"MySQL\" --level 3 --risk 3 \n2.3 wait for a long time, sqlmap scan results shown in the following figure\uff08actually told me there is no vulnerability, alas, it seems that God also has a wonky time: the \n! [](/Article/UploadPic/2019-7/20197601859431. png) \n3\\. Configuration statement test \nDue to the artifact of sqlmap out of alignment, we manually constructed the statement to confirm the vulnerability. \nConstruct the following statement, and spliced into the parameter m1_idlist after: \n0,1))and(case+when+(select+sleep(1)+from+cms_users+limit+1)+then+1+else+2+end)+--+ \nThe first set of sleep parameters for the 1s, run the results shown in the following figure, you can see the server response time is 1141ms that 1. 141s: the \n! [](/Article/UploadPic/2019-7/20197601859725. png) \nAgain, set the sleep parameter for the 5s, the operating results shown in the following figure, you can see the server response time is 5163ms that 5. 163s: the \n! [](/Article/UploadPic/2019-7/20197601859871. png) \nWhen setting the sleep parameters for the 10s, the server response time is 10184ms that 10. 184s in. Increasing the sleep parameter value, the response time is also gradually increased. It can be determined, in the parameter m1_idlist in the presence of time-based SQL blind injection vulnerability. \nVulnerability analysis \nBy analyzing the source code, we come to find out the[SQL injection](<http://www.myhack58.com/Article/html/3/7/Article_007_1.htm>)the vulnerability of the generating point, the issues related to the code as shown below: \n! [](/Article/UploadPic/2019-7/20197601859856. png) \nAbove this code, the array elements cast to integer after, made a condition and an unset operation, seemingly to the variable idlist input to do the filtering and screening, in fact, then and eggs. The following is a test code to the detailed description, the code is as follows: \n$idlist = \"0,1,2))and(case+when+(select+sleep(10)+from+cms_users+limit+1)+then+1+else+2+end)+--+ \"; \nif( is_string($idlist) ) { \n$tmp = explode(',', $idlist); \nfor ($i = 0; $i if( $tmp[$i], 1 ) \nunset($tmp[$i]); \n} \n$idlist = array_unique($tmp); \nforeach($idlist as $value){ \necho $value; \necho \"\\n\"; \n} \n} \n?& gt; \nThis test code run the result as shown below: \n! [](/Article/UploadPic/2019-7/20197601859142. png) \nFrom the above figure it can be seen, the variable idlist\u201d0\u201dis filtered out, the\u201d1\u201dand\u201c2))and(case+when+(select+sleep(10)+from+cms_users+limit+1)+then+1+else+2+end)+\u2013+ \u201dis preserved, this description of the condition judgment and unset statements only plays part of the role. \nWhy is this so? In the for loop, the first loop, since$tmp[0] \nExploit \n1\\. SQL blind vulnerabilities of the use of the program by constructing a specific SQL statement stitching to the exploit URL, and then determines the MySQL sleep duration, in order to enumerate the database of sensitive information. The program contains get_salt () and get_username(userid), get_email(userid), get_password(userid), crack_password (), the beautify_print()and main()and other components. Wherein get_salt()function to get by the system randomly generated salt value for crack_password()function to crack the user password; get_username(userid)function is used to obtain cmsms user name; get_email(userid)function is used to obtain the user corresponding to the mailbox; get_password(userid)function is used to obtain the corresponding user password, this password is a ciphertext; crack_password()function combined with the salt value, the ciphertext password and customize the dictionary to crack the password of the user. The program detailed code is as follows: \n\n\n**[1] [[2]](<94902_2.htm>) [[3]](<94902_3.htm>) [[4]](<94902_4.htm>) [next](<94902_2.htm>)**\n", "published": "2019-07-06T00:00:00", "modified": "2019-07-06T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "http://www.myhack58.com/Article/html/3/62/2019/94902.htm", "reporter": "\u4f5a\u540d", "references": [], "cvelist": [], "type": "myhack58", "lastseen": "2019-07-05T20:31:51", "edition": 1, "viewCount": 447, "enchantments": {"dependencies": {"references": [], "modified": "2019-07-05T20:31:51", "rev": 2}, "score": {"value": -0.4, "vector": "NONE", "modified": "2019-07-05T20:31:51", "rev": 2}, "vulnersScore": -0.4}}
