跳至主要内容

博文

ThinkSAAS has a Post-Auth SQL injection vulnerability in app/topic/action/admin/topic.php#2 (bypass of CVE-2020-35337)

  0x01 Summay In last December last year, there were security problems caused by improper URLDecode. Reference https://github.com/thinksaas/ThinkSAAS/issues/24 To sum up, it is in ThinkSAAS-master\app\topic\action\admin\topic.php , improper filtering of keyword parameters leads to SQL injection. In last year's fix plan (click Here Direct), the first is $title Changed $kw Variable, And, after tsFilter Function filtering. However, there are still security risks now. # Responsible Vulnerability Disclosure info Title: ThinkSAAS has a Post-Auth SQL injection vulnerability in app/topic/action/admin/topic.php Desc: ThinkSAAS before 3.52 has SQL injection via the /index.php?app=topic&ac=admin&mg=topic&ts=list&title=PoC title parameter(need the privilege of admin), allowing logged attackers to execute arbitrary SQL commands. This is a bypass of CVE-2020-35337. CVSS v3.1 Vector: - 7.5 AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:H/MPR:H/
最新博文

lykops has multiple vulnerabilities

corresponding 0x00     intro - github repo:https://github.com/lykops/lykops - 121 stars and 65 forks til 2021/2/6 0x01     Post-Auth OS-command injection lykops/library/utils/file.py#248   -> upload_file() we got  lykops/lykops/ansible/yaml.py#74 ,github link here vuln param file comes from our HTTP Request in array of FILES[]  So we can completely control the unsantized param, and cause a OS-cmd injection the corresponding route is ^ansible/yaml/import$ , we can trigger this vuln by visiting it. Also, you can see that an exception will trigger twice invocations  of  import_file() ,which means a  `sleep 5`   command will casue a delay of 10 second POST /ansible/yaml/import/  Host: lykops ... ... ...;filename="test.txt$(sleep 5)" ...

Thinksaas has a Post-Auth SQL injection vulnerability in app/topic/action/admin/topic.php

1. Intro of this CMS The repo of ThinksaasS is located at https://github.com/thinksaas/ThinkSAAS , quite a common-used CMS. Source code of v3.38  could be downloaded at https://www.thinksaas.cn/service/down/ , while passcode of downlaoding is thinksaas9999 of this Vuln ThinkSAAS before 3.38 has SQL injection via the /index.php?app=topic&ac=admin&mg=topic&ts=list&title=PoC title parameter, allowing remote attackers to execute arbitrary SQL commands. 2. Walkthrough Code Review Risky lines are here =>   https://github.com/thinksaas/ThinkSAAS/blob/b0361f49cb026ad33b7df6b15539bec6dadd24b0/app/topic/action/admin/topic.php#L42 https://github.com/thinksaas/ThinkSAAS/blob/b0361f49cb026ad33b7df6b15539bec6dadd24b0/thinksaas/tsApp.php#L146 Due to unproper conjunction of SQL query sentences (1) and invalid filter (2) (1) unproper conjunction of SQL query sentences app/topic/action/admin/topic.php#L42 Let's see how findAll() works: thinksaas/tsApp.php#L1

MKCMS V6.2 has mutilple vulnerabilities

0x00:Lead In Source code can be downloaded  at  https://www.lanzous.com/ib7zwmh This CMS is kinda funny, coz there is a universal filter addslashes  in /system/library.php /system/library.php <?php ... if ( ! get_magic_quotes_gpc ()) { if ( ! empty ( $_GET )) { $_GET = addslashes_deep ( $_GET ); } if ( ! empty ( $_POST )) { $_POST = addslashes_deep ( $_POST ); } $_COOKIE = addslashes_deep ( $_COOKIE ); $_REQUEST = addslashes_deep ( $_REQUEST ); } function addslashes_deep ( $_var_0 ) { if ( empty ( $_var_0 )) { return $_var_0 ; } else { return is_array ( $_var_0 ) ? array_map ( 'addslashes_deep' , $_var_0 ) : addslashes ( $_var_0 ); } _var_0 } While it uses stripslashes somewhere by mistake, let's do a global search about it, we get 3 SQL injections 0x01:PreAuth SQL injection in /ucenter/repass.php MKCMS V6.2 has SQL injection via the /ucenter/repass.php nam