A preface
Not long ago when shopping CNVD saw a niche CMS, large CMS we can not audit what loopholes ah, a review of the above vulnerabilities, carefully looked at the next, and found some other problems, niche CMS can follow the specific process, understand the cause of the vulnerability, used to practice or can.
Reflection type XSS vulnerability
In fact, IT is quite common for SUCH a small CMS to have XSS vulnerabilities, and the place where it appears XSS is also a common place to encounter. When reporting errors, the input information is directly output without any security measures, thus triggering XSS vulnerabilities. The first step to get the CMS is to simply look at the URL routing situation of the CMS to facilitate locating related functions
$t = @$_GET['t'] ? $_GET['t'] : "sys"; $n = @$_GET['n'] ? $_GET['n'] : "index"; $c = @$_GET['c'] ? $_GET['c'] : "index"; $a = @$_GET['a'] ? $_GET['a'] : "index"; define("L_TYPE", $t); define("L_NAME", $n); define("L_CLASS", $c); define("L_MODULE", "admin"); define("L_ACTION", "do{$a}"); require_once '.. /core/route.php';Copy the codeThe /core/route.php function is included
We define some constants, and finally we call the module function in the load class, which is located in \core\class\load.class.php
The associated function is then called, which checks to see if the passed file exists
If the file does not exist, an error message is passed to the X function of the LCMS class in the \core\class\lcms.class.php function, which calls the template function to generate the template for the error output
The error message template is then generated
The output did not see any filtering for the error, it was output directly, triggering reflective XSS
Basically, the kind of error output involved is not filtered and all have reflective XSS vulnerabilities
Three storage XSS vulnerabilities
When by Seay code auditing tools automatically scan found the CMS for the client IP loopholes in the way, can be forged, and backend record the IP login succeeds, but will only remember the user’s IP login successfully, so only through scored a low access account is likely to trigger when the stored XSS. Register an account with low permission and then perform client IP forgery during login, which can trigger storage XSS.
The administrator can log in to the system and click user center – User Management office to trigger the storage XSS vulnerability
Locate the IP forgery related function in\ app\sys\login\admin\index.class.php, get the client IP and update the database
In the case of CLIENT_IP, which is known as LCMS::IP(), the function is located in \core\class\lcms.class.php, which allows an attacker to forge an IP address on the client
Finally, the IP obtained from the client is updated to the database
When we click on the user center, see what function \app\sys\user\admin\admin.class.php is called
Fetching data from the database and rendering output of the template triggers XSS vulnerability
Delete any files
When deleting backup SQL files
Follow up to the related function, which is located in\ app\sys\backup\admin\database.class.php
case 'del': $file = PATH_WEB . "backup/data/{$_L['form']['name']}"; if (is_file($file)) { delfile($file); Ajaxout (1, "delete successfully "); } else {ajaxout(0, "file does not exist "); } break;Copy the codeFollow up to the delfile function, which calls the path_absolute function, which is filtered in \core\function\file.func.php
function path_absolute($path)
{
$path = PATH_WEB . str_replace([
"../", "./", PATH_WEB,
], "", $path);
$path = str_replace("\/", "\\", $path);
return is_dir($path) ? path_standard($path) : $path;
}
Copy the codeFilter for.. /./, in Windows you can use.. \ bypass
Upload any file
It is rare to see a CMS that does this, but I am surprised to see that this is a normal function, and I think the purpose of uploading CMS is to upload non-executable scripts, not to hope that you can upload PHP files. Choose Settings > Security > Format whitelist to add PHP
Then in the setting center – > background Settings – > background LOGO directly upload THE PHP file
\core\class\upload.class.php ()
Print the whitelist of the saved files
Follow up with the dosafe function in app\sys\config\admin\admin.class.php, which will save the whitelist added by the user in a global variable. When checking the whitelist, the value from the global variable will trigger any file upload vulnerability
SQL injection vulnerability
This CMS should be all without security detection, basically and the database interaction place exists SQL injection, for example, many are the same. Choose User Management > Add User
payload: admin1'and(select*from(select+sleep(1))a)='
Copy the code
By changing the sleep time, you can see that the sleep function has taken effect. The execution time difference is about 1 times. By looking at the SQL statement execution record, you can see that the sleep function is spliced into the SQL statement and the SQL statement is executed
Follow the url to the vulnerability function, which is located in doiframe in\ app\sys\user\admin\admin.class.php. Specific code as follows, in the case of no filter directly to obtain data
L is a global variable, includes all the variables in the system data, print the can see the output all the parameters of the website, you can see _L are global variables, includes all the variables in the system data, print the can see the output all the parameters of the website, you can see the L are global variables, includes all the variables in the system data, You can see that _L contains all the variables of the system
The name value is the content of the malicious SQL statement, which is directly spliced into the SQL statement for execution, triggering the SQL injection vulnerability
I am a network security penetration engineer, not only studying penetration, of course, if you want to learn about network security, you can learn network security videos, SRC technical documents, toolkits, emergency response and code audit, etc., to share with you
[Data Collection]
Seven summarizes
It’s not a bright spot, it’s just a normal CMS process