wudijun / there-are-sql-injections-in-multiple-s-cms-website-building-systems Goto Github PK

此页面为s-cms建站系统主页，旗下多个系统都存在多个sql注入漏洞。

(This page is the homepage of the s-cms website building system, and there are multiple sql injection vulnerabilities in multiple systems under it)

漏洞点存在于主目录下api/index.php文件，代码如下。

(The vulnerability point exists in the api/index.php file in the main directory, the code is as follows)

此处通过check_auth2函数来判断当前系统是否购买了微信小程序功能，如果购买继续向下执行，将$_REQUEST["M_id"]赋值给变量$M_id然后继续向下执行switch语句。

(Here, the check_auth2 function is used to judge whether the current system has purchased the WeChat applet function. If the purchase continues to execute downward, assign $_REQUEST["M_id"] to the variable $M_id and continue to execute the switch statement downward)

switch语句通过判断action的值来进行操作，此处action的值是通过REQUEST方式传递的。

(The switch statement operates by judging the value of the action, where the value of the action is passed through REQUEST)

将action的值通过GET方式赋值为editpwd时会将$M_id作为参数带入check函数执行。

(When the value of action is assigned to editpwd by GET method, $M_id will be brought into the check function as a parameter for execution)

此处将$M_id的值直接带入sql语句，并没有进行过滤，从而导致sql注入漏洞的产生。

(Here, the value of $M_id is directly brought into the sql statement without filtering, which leads to the generation of sql injection vulnerabilities)

尽管此系统已经通过对GET方式和POST方式输入的 <、>、'、" 等特殊符号进行全局的过滤处理，但是仍然可以用其他的特殊符号进行绕过，并通过sql注入中的延迟注入来获取数据库中的内容。

(Although this system has globally filtered special symbols such as <, >, ', " entered in GET and POST methods, it can still be bypassed with other special symbols and delayed injection in sql injection. Get the contents of the database)

可以直接在网址后面添加/api/index.php?action=editpwd来查看当前网址是否购买微信小程序，如果未购买微信小程序页面则会提示。

(You can directly add /api/index.php?action=editpwd after the URL to check whether the current URL has purchased the WeChat Mini Program. If you have not purchased the WeChat Mini Program page, you will be prompted)

如果该网站购买了微信小程序功能时则会返回空白页面或者报错提示，此时就可以进行sql注入攻击。

(If the URL purchases the function of the WeChat applet, it will return a blank page or report an error prompt, and sql injection attacks can be carried out)

当该网站购买了微信小程序功能时，我们将恶意的sql语句 M_id=6%0Aand%0Aif((length(database()))!=1,sleep(5),0) 拼接到M_id的后面并使用工具burpsuite对数据包进行抓取重放

(When the website purchased the function of the WeChat applet, we spliced the malicious sql statement M_id=6%0Aand%0Aif((length(database()))!=1,sleep(5),0) to the back of M_id and Use the tool burpsuite to capture and replay the data packets)

此条sql注入语句的意思为如果当前网站的数据库长度不等于1则页面延迟5秒后返回，可以看到上图右下角网站响应的时间为5秒多，
当我们输入正确的数据库长度时，网站则会立马响应，不会执行sleep(5)进行延迟。

(This sql injection statement means that if the database length of the current website is not equal to 1, the page will be returned after a delay of 5 seconds. You can see that the response time of the website in the lower right corner of the above figure is more than 5 seconds.When we enter the correct database length, the website will respond immediately without executing sleep(5) for delay.)

我们可以通过python写一个脚本进行sql注入攻击，获取当前网站的数据库信息

(We can write a script through python to perform sql injection attacks and obtain the database information of the current website)

数据库长度为3，数据库名为cms。
(The database length is 3, and the database name is cms)

以下几个截图是互联网真实案例，为了证明漏洞存在只获取了数据库名称，并没有进行其他操作，还有很多案例此处只展示三个

(The following screenshots are real cases on the Internet. In order to prove the existence of the vulnerability, only the database name was obtained, and no other operations were performed. There are still many cases where only three are shown here.)

同理，api/index.php下还存在多个sql注入，如GET方式传入的action的值为member_news、member_newesinfo、editnews、member_from、list时，都可进行sql注入

(Similarly, there are multiple sql injections under api/index.php. For example, when the value of the action passed in by GET is member_news, member_newesinfo, editnews, member_from, or list, sql injection can be performed)