Shulou(Shulou.com)05/31 Report--

SQL injection led to RCE vulnerability CVE-2021-27890 example analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

Preface of 0x00

Let's explain the principle of the formation of RCE caused by this somewhat complex SQL injection, starting with the key parts of the full text extraction.

1. The value of the template uses the dangerous function eval ("string"). Part of the string is taken from the database, and the value taken from the database is input by the user.

2. Want to execute the code in the following form

Eval ('echo "hi, ybdt!')

Encounter filter 1: escape the double quotes inserted into the database, so that the unable code cannot be executed, as shown below

Eval ('echo "passthru (\" dir\ ")";')

3. Do not use double quotation marks in template values, even if you use the following form

Eval ('echo "${passthru (dir)}";')

Encounter filter 2: MyBB will prevent the template from being changed to this form

4. When importing a template, there is a second-order SQL injection vulnerability in an attribute of the template, so as to bypass the filtering in 3.

Overview of 0x01 remote code execution attack chain

The famous foreign forum software MyBB in 1.8.16user ['username']}

This means that the string eventually passed to eval () is as follows

$modcplink = "{$mybb- > user ['username']}"

As you can see, the string is enclosed in double quotes, and the PHP variable {$mybb- > user ['username']} is inserted into the string. Because {$mybb- > user ['username']} is stored in the database, MyBB escapes the double quotation marks, so there is no way to jump out of the double quotation marks and therefore cannot cause remote code execution.

Another PHP trick that can lead to RCE is that the attacker modifies the template, adds a $to the variable, and becomes a string interpolation, as shown below

$modcplink = "${arbitrary_function ()}"

However, MyBB also blocks this unique PHP technique by preventing administrators from inserting such a form.

This means that if we can find a way to bypass the MyBB filter, we will still be able to execute arbitrary PHP code. We will bypass through a SQL injection implementation

MyBB themes can be imported through a XML file, which contains a series of theme attributes (such as image directories or versions), that is, a series of key-value pairs that will be read, where name is key-related and value is content. This is an example:

{$mybb- > user ['username']}] >

When an administrator imports such a topic, the XML is parsed and the topic properties are stored in the database. There is second-order SQL injection in templateset attribute.

When these topics are uploaded, they are inserted into the database instance of MyBB and are not filtered in other SQL queries that follow

We already know that the value of the content of the MyBB template will be passed to eval (), so an attacker who can control the value of the subject attribute will be able to cause arbitrary PHP code execution. The following paragraphs describe SQL injection, which allows an attacker to inject malicious template code into an eval () call.

At the beginning of each page being loaded, MyBB fetches all template values from the database and stores them in a cache, where the SQL query fetches all template values using the templateset attribute, which is embedded in the query string, so a SQL injection vulnerability occurs:

$query = $db- > simple_select ("templates", "title,template", "title IN ('$sql) AND sid IN)". $theme ['templateset']. ")", array (' order_by' = > 'sid',' order_dir' = > 'asc')

As shown, the query simply concatenates the templateset attributes. Using a malicious theme, a person can control this property and then let the cache function return the value controlled by the attacker. This is an example of using a SQL injection payload for such a constructed theme:

') AND 1' 0 UNION SELECT title,'${passthru (\'ls\')} 'from mybb_templates--

The final SQL query will look like this:

SELECT title, template FROM mybb_templates WHERE title IN ('header_welcomeblock_member_moderator','...') AND SID IN ('- 2,'- 1,') AND 1: 0 UNION SELECT title,'${passthru (\'ls\')} 'from mybb_templates -')

With this SQL injection, the template cache is poisoned with attacker-controlled data without any escape or filtering, and these template values are completely controlled by the attacker and then passed to the double quote string of eval (), so we can execute arbitrary PHP code in the ${} syntax. Eventually, an attacker can execute arbitrary PHP code and then take down the server

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.