博文

lykops has multiple vulnerabilities

图片
corresponding 0x00     intro - github repo:https://github.com/lykops/lykops - 121 stars and 65 forks til 2021/2/6 0x01     Post-Auth OS-command injection lykops/library/utils/file.py#248   -> upload_file() we got  lykops/lykops/ansible/yaml.py#74 ,github link here vuln param file comes from our HTTP Request in array of FILES[]  So we can completely control the unsantized param, and cause a OS-cmd injection the corresponding route is ^ansible/yaml/import$ , we can trigger this vuln by visiting it. Also, you can see that an exception will trigger twice invocations  of  import_file() ,which means a  `sleep 5`   command will casue a delay of 10 second POST /ansible/yaml/import/  Host: lykops ... ... ...;filename="test.txt$(sleep 5)" ...

Thinksaas has a Post-Auth SQL injection vulnerability in app/topic/action/admin/topic.php

图片
1. Intro of this CMS The repo of ThinksaasS is located at https://github.com/thinksaas/ThinkSAAS , quite a common-used CMS. Source code of v3.38  could be downloaded at https://www.thinksaas.cn/service/down/ , while passcode of downlaoding is thinksaas9999 of this Vuln ThinkSAAS before 3.38 has SQL injection via the /index.php?app=topic&ac=admin&mg=topic&ts=list&title=PoC title parameter, allowing remote attackers to execute arbitrary SQL commands. 2. Walkthrough Code Review Risky lines are here =>   https://github.com/thinksaas/ThinkSAAS/blob/b0361f49cb026ad33b7df6b15539bec6dadd24b0/app/topic/action/admin/topic.php#L42 https://github.com/thinksaas/ThinkSAAS/blob/b0361f49cb026ad33b7df6b15539bec6dadd24b0/thinksaas/tsApp.php#L146 Due to unproper conjunction of SQL query sentences (1) and invalid filter (2) (1) unproper conjunction of SQL query sentences app/topic/action/admin/topic.php#L42 Let's see how findAll() works: thinksaas/tsApp.php#L1

MKCMS V6.2 has mutilple vulnerabilities

图片
0x00:Lead In Source code can be downloaded  at  https://www.lanzous.com/ib7zwmh This CMS is kinda funny, coz there is a universal filter addslashes  in /system/library.php /system/library.php <?php ... if ( ! get_magic_quotes_gpc ()) { if ( ! empty ( $_GET )) { $_GET = addslashes_deep ( $_GET ); } if ( ! empty ( $_POST )) { $_POST = addslashes_deep ( $_POST ); } $_COOKIE = addslashes_deep ( $_COOKIE ); $_REQUEST = addslashes_deep ( $_REQUEST ); } function addslashes_deep ( $_var_0 ) { if ( empty ( $_var_0 )) { return $_var_0 ; } else { return is_array ( $_var_0 ) ? array_map ( 'addslashes_deep' , $_var_0 ) : addslashes ( $_var_0 ); } _var_0 } While it uses stripslashes somewhere by mistake, let's do a global search about it, we get 3 SQL injections 0x01:PreAuth SQL injection in /ucenter/repass.php MKCMS V6.2 has SQL injection via the /ucenter/repass.php nam