Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bypass security protection injection code in the website settings function #34

Open
chasingboy opened this issue Jul 17, 2022 · 0 comments

Comments

@chasingboy
Copy link

  1. We enter the management page, Go to website settings.

image

  1. Next, I want to inject php code by modifying these settings.
    From the config.php file we found that the modified configuration will be written that.

image

  1. The format of configuration writing is as follows.
define('WEBNAME',	'taoCMS演示');
  1. So according to the grammar rules of php, I made the following request.

image

payload: taoCMS演示');phpinfo();//
  1. But I found that after executing the request, the code of the config.php file will have a syntax error.
define('WEBNAME',	'taoCMS演示'');phpinfo();//');

image

  1. when i view the taocms/include/Config.php, When the configuration is modified, the configuration is checked for security.

image

  1. Follow taocms/include/Base.php, in the safeword function.
    The core point of discovery is that if the database type is Sqlite, a single (') will be replaced by a pair ('').

image

  1. After knowing all this, I constructed a payload, add a () to escape ('). Note that the database type is Sqlite.
payload: taoCMS演示\');phpinfo();//

image

  1. After executing the request this time, I found that I successfully modified the configuration, and the code syntax check passed.

image

  1. When I access Config.php everything works fine and the php code runs correctly.

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant