SQL Injection Vulnerability Learning for Qibo CMS

Today I saw an article on the vulnerability Analysis of a CMS asrc above ( http://security.alibaba.com/blog/blog.htm?spm=0.0.0.0.96tpib&id=13 ), I feel that Ali Daniel in the writing of vulnerability analysis is still a bit cautious, the use of the way nothing more can not say.

Baidu search a bit of this CMS, the use of the amount is still not small. Not very understanding of PHP, a simple study, and summed up the use of the way.

The reason for the vulnerability is this section of code in inc/common.inc.php:

if (!ini_get (' register_globals ')) {@extract ($_files,extr_skip);}

The meaning of this code is to convert the array of $_files requests received by PHP into some variables. And we know that these variables are not escaped by magic quotes.

Look at member/comment.php This file again, the following code:

if ($job = = ' del ') {      foreach ($cidDB as $key = = $value) {$rs = $db->get_one ("Select aid from {$pre}comment WHERE cid= ' $value '); $erp =get_id_table ($rs [aid]); $rsdb = $db->get_one ("Select C.cid,c.uid as Commentuid,c.aid,a.uid,a.fid From {$pre}comment C left JOIN {$pre}article$erp A to C.aid=a.aid WHERE c.cid= ' $value ' "); if ($rsdb [uid]== $lfjuid | | $rsdb [commentuid]== $lfjuid | | $web _admin| | In_array ($rsdb [FID], $fiddb) {$db->query ("DELETE from {$pre}comment WHERE cid= ' $rsdb [CID] ');} $db->query ("UPDATE {$pre}article$erp SET comments=comments-1 WHERE aid= ' $rsdb [aid] ');} Refreshto ("$FROMURL", "Delete succeeded", 0);}

Where $cidDB This variable should be the ID of the message obtained from the URL through get, and then to the SQL statement to execute the SQL.

But because comment.php references common.inc.php, and $CIDDB is not initialized, we can use the variables in the $_files to assign values directly to the $cidDB and not escape.

Poc:

In fact, is not the POC, is a simple way to use.

To write a simple HTML page:

Action to write the site address

Then we rename a file named: 1 ' Union select version () and ' 1 ' = ' 1

Then submit the upload, you can see the results returned:

Here is a more troublesome problem is: Because the value is stored in two SQL statements, the two statements are not the same column, so this side with the union will be error, only blind note. Or you can look for uninitialized variables elsewhere.

• Size: 55.3 KB

• Size: 26.1 KB

• View Picture Attachments

The above describes the Qibo CMS SQL Injection Vulnerability learning, including the aspects of the content, I hope that the PHP tutorial interested in a friend helpful.

