Qibo CMS SQL injection vulnerability learning

Today I saw an article on vulnerability analysis of a cms on asrc (http://security.alibaba.com/blog/blog.htm?spm=0.0.0.0.96tpib&id=13 ), and I feel like Ali Daniel is still a little cautious when writing vulnerability analysis, let alone the method of utilization.

I searched this CMS on Baidu, and the usage is still quite large. I don’t know much about PHP, so I briefly studied it and summarized how to use it.

The cause of the vulnerability is this code in inc/common.inc.php:

if(!ini_get('register_globals')){
	@extract($_FILES,EXTR_SKIP);
}

The meaning of this code is to convert the $_Files request array received by php into some variables. And we know that these variables will not be escaped by magic quotes.

Look at the member/comment.php file again, the following code:

if($job=='del'){
      foreach( $cidDB AS $key=>$value){
		$rs=$db->get_one("SELECT aid FROM {$pre}comment WHERE cid='$value'");
		$erp=get_id_table($rs[aid]);
		$rsdb=$db->get_one("SELECT C.cid,C.uid AS commentuid,C.aid,A.uid,A.fid FROM {$pre}comment C LEFT JOIN {$pre}article$erp A ON C.aid=A.aid WHERE C.cid='$value'");
		if($rsdb[uid]==$lfjuid||$rsdb[commentuid]==$lfjuid||$web_admin||in_array($rsdb[fid],$fiddb)){
			$db->query("DELETE FROM {$pre}comment WHERE cid='$rsdb[cid]'");
		}
		$db->query("UPDATE {$pre}article$erp SET comments=comments-1 WHERE aid='$rsdb[aid]'");
	}
	refreshto("$FROMURL","删除成功",0);
}

Where the variable $cidDB should be the id of the comment obtained from the URL through the get method, and then spelled into the sql statement for execution sql.

But because comment.php refers to common.inc.php and $cidDB is not initialized, here we can use the variables in $_Files to directly assign a value to $cidDB without escaping.

POC: 不 is actually not a POC, it is a simple way of use.

                                                                                                                                                        out out out out of Named: 1' union select version() and '1'='1

Then submit the upload and you can see the return result:

This way A more troublesome problem is: Since the value is stored in two SQL statements, the columns of the two statements are different, so an error will be reported when using union here, and the only way is blind injection. Or you can look for uninitialized variables elsewhere.

Size: 55.3 KB

Size: 26.1 KB

View picture attachment

The above introduces the learning of SQL injection vulnerabilities in Qibo CMS, including the relevant aspects. I hope it will be helpful to friends who are interested in PHP tutorials.

•