In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-05 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
SQL injection led to RCE vulnerability CVE-2021-27890 example analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.
Preface of 0x00
Let's explain the principle of the formation of RCE caused by this somewhat complex SQL injection, starting with the key parts of the full text extraction.
1. The value of the template uses the dangerous function eval ("string"). Part of the string is taken from the database, and the value taken from the database is input by the user.
2. Want to execute the code in the following form
Eval ('echo "hi, ybdt!')
Encounter filter 1: escape the double quotes inserted into the database, so that the unable code cannot be executed, as shown below
Eval ('echo "passthru (\" dir\ ")";')
3. Do not use double quotation marks in template values, even if you use the following form
Eval ('echo "${passthru (dir)}";')
Encounter filter 2: MyBB will prevent the template from being changed to this form
4. When importing a template, there is a second-order SQL injection vulnerability in an attribute of the template, so as to bypass the filtering in 3.
Overview of 0x01 remote code execution attack chain
The famous foreign forum software MyBB in 1.8.16user ['username']}
This means that the string eventually passed to eval () is as follows
$modcplink = "{$mybb- > user ['username']}"
As you can see, the string is enclosed in double quotes, and the PHP variable {$mybb- > user ['username']} is inserted into the string. Because {$mybb- > user ['username']} is stored in the database, MyBB escapes the double quotation marks, so there is no way to jump out of the double quotation marks and therefore cannot cause remote code execution.
Another PHP trick that can lead to RCE is that the attacker modifies the template, adds a $to the variable, and becomes a string interpolation, as shown below
$modcplink = "${arbitrary_function ()}"
However, MyBB also blocks this unique PHP technique by preventing administrators from inserting such a form.
This means that if we can find a way to bypass the MyBB filter, we will still be able to execute arbitrary PHP code. We will bypass through a SQL injection implementation
MyBB themes can be imported through a XML file, which contains a series of theme attributes (such as image directories or versions), that is, a series of key-value pairs that will be read, where name is key-related and value is content. This is an example:
{$mybb- > user ['username']}] >
When an administrator imports such a topic, the XML is parsed and the topic properties are stored in the database. There is second-order SQL injection in templateset attribute.
When these topics are uploaded, they are inserted into the database instance of MyBB and are not filtered in other SQL queries that follow
We already know that the value of the content of the MyBB template will be passed to eval (), so an attacker who can control the value of the subject attribute will be able to cause arbitrary PHP code execution. The following paragraphs describe SQL injection, which allows an attacker to inject malicious template code into an eval () call.
At the beginning of each page being loaded, MyBB fetches all template values from the database and stores them in a cache, where the SQL query fetches all template values using the templateset attribute, which is embedded in the query string, so a SQL injection vulnerability occurs:
$query = $db- > simple_select ("templates", "title,template", "title IN ('$sql) AND sid IN)". $theme ['templateset']. ")", array (' order_by' = > 'sid',' order_dir' = > 'asc')
As shown, the query simply concatenates the templateset attributes. Using a malicious theme, a person can control this property and then let the cache function return the value controlled by the attacker. This is an example of using a SQL injection payload for such a constructed theme:
') AND 1' 0 UNION SELECT title,'${passthru (\'ls\')} 'from mybb_templates--
The final SQL query will look like this:
SELECT title, template FROM mybb_templates WHERE title IN ('header_welcomeblock_member_moderator','...') AND SID IN ('- 2,'- 1,') AND 1: 0 UNION SELECT title,'${passthru (\'ls\')} 'from mybb_templates -')
With this SQL injection, the template cache is poisoned with attacker-controlled data without any escape or filtering, and these template values are completely controlled by the attacker and then passed to the double quote string of eval (), so we can execute arbitrary PHP code in the ${} syntax. Eventually, an attacker can execute arbitrary PHP code and then take down the server
Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.