Shulou(Shulou.com)05/31 Report--

This article shows you how to conduct code audit semcms, the content is concise and easy to understand, can definitely brighten your eyes, through the detailed introduction of this article, I hope you can get something.

Environment building:

Use it for building environment: phpstudy2018+phpstrom+Windows10

Download semcms v3.9:

Http://www.sem-cms.com/TradeCmsdown/php/SEMCMS_PHP_3.9.zip

Installation of Semcms v3.9:

Step 1: upload the extracted files to the root directory of the phpstudy2018 website

Step 2: run the install directory for default installation (enter http:// your domain name / install in the address bar)

Use phpstorm to open the website folder with the browser to open the website.

Code audit:

Through the analysis of the index.php file on the home page of the website, it is found that the first step is to load the file web_inc.php file, which is a vulnerability trigger file. See figure 3.1

Figure 3.1

Analysis of the web_inc.php file, found that the initial location, loaded two files, one is connected to the database, nothing to see, the other is the contorl.php file, sql statements for filtering, see figure 3.2.

Figure 3.2

Enter the contorl.php file analysis. Found that only GET requests are filtered, and blacklist filtering is used, which can be bypassed. See figure 3.3

Figure 3.3

Then analyze the web_inc.php file, we directly analyze the loophole. We can find that we can first determine whether there is a languageID in the POST request, filter the sql blacklist if there is, and then assign a value to the $Language=$languageID. We can bypass the blacklist, and then determine whether the language is empty. Enter the if statement if it is not empty, that is, the loophole point, and assign the $language variable to the sql statement. And not protected by single quotation marks. See figure 3.4

Figure 3.4

Loophole recurrence

In the browser, visit the home page of the website and open the post request. Add languageID=1 to the post box, visit, and find that the display is normal. See figure 4.1

Figure 4.1

Change the value of languageID to:

1 and ascii (substr (database (), 1 minute 1)) ^ 109, found that the web page has changed. In this way, it is determined that the first letter of the database name is m, and the asii code is 109. See figure 4.2

In this way, attackers can determine the database name by constantly testing the asii code value of each letter of the database.

To facilitate testing, I wrote a simple python script (sqlmap was less used at the time), revealing the database name. Because the scope of the guess is relatively large, it may take a little longer, but it is faster than manual after all. See figure 4.3

Figure 4.3 the above is how to conduct code audit semcms. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.