CVE-2023-2420: elecms/README.md at main · VG00000/elecms

Source code download address： http://www.mlecms.com/download/zip/mlecms-3.0.zip Operating environment：Nginx+mysql

A vulnerability exists in the "get_url()" function in lines 40-53 of the “upload\inc\include\common.func.php” file,This function directly obtains the URL from “$_SERVER” and returns it without filtering, which may lead to SQL injection or XSS vulnerabilities

Global search for "get_url", where “get_url” exists in “/upload/inc/lib/admin.lib.php” and is directly spliced into SQL statements

Open this file, line 49. The risky SQL statement is located in the "logs ()" method

Continue to track the “logs” method, which is used on lines 13 and 16 of the " \upload\admin\channel_manage.php" file

Analyze the routing, combine the file name characteristics, and locate the function point at “网站频道管理”

Analyze" channel_manage. php “, and only execute” admin:: logs “when” $_GET ['del '] “is a number and” $ass [‘id’] “is empty.”

After analyzing and testing “$db ->query” to construct a request package, it is known that the deleted channel ID is greater than the actual channel ID, which can make “$ass ['id ']" null. Because” $_GET [‘del '] "must be a number, and the vulnerability point is located in the URL, requiring the insertion of characters. Therefore, combined with SQL statements, the following error injection method can be used to query the database name: channel_manage.php?del=1111#’or updatexml(1,concat(0x7e,database()),0) or’

Query user

The test environment is Nginx+MySQL. If other middleware is used, it may be necessary to reconstruct the payload data packet： GET /admin/channel_manage.php?del=1111#’or updatexml(1,concat(0x7e,user()),0) or’ HTTP/1.1 Host: 192.168.31.128:90 accept: / User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=1ohoqsk1aaiaj81sr1ngt5phm0; mlecms_global_language=1 Connection: close