BigTree CMS sql注入与反序列化

# Chaining SQL Injection and XSS BigTree CMS suffers from a plain SQL Injection which can be exploited in the dashboard. An unsanitized parameter allows overriding the `Table` property, enabling the manipulation of the underlying SQL syntax to extract arbitrary sensitive information from the database. The web application then continues to print all the data retrieved through the SQL query and returns it to the authenticated administrator. Since BigTree does not make use of any CSRF tokens here, the vulnerability can be exploited through CSRF. A Second Order Cross-Site Scripting vulnerability can then be used to smuggle the data out to an external Server. In the following we will see the entry point to the vulnerability: ```php core/admin/ajax/dashboard/check-module-integrity.php $form = BigTreeAutoModule::getForm($_GET["form"]); // Create a generic module class to get the decoded item data $m = new BigTreeModule; $m->Table = $form["table"]; $item = $m->get($_GET["id"]); ``` On line 6 the user input is received through the `form` parameter and stored in the `$form`variable. Its value is then assigned to the `$m->Table` property of the `BigTreeModule` instance. Finally the `get()` method is invoked on the object which launches a SQL query on line 10. This method is embedding the user input of the `$item` variable safely and embedding the tainted `Table` property *unsafely*. ```php core/inc/bigtree/modules.php class BigTreeModule { ⋮ public function get($item) { ⋮ $item = sqlfetch(sqlquery("SELECT * FROM `".$this->Table."` WHERE id = '". sqlescape($item)."'")); ``` The data can then be smuggled out by exploiting a Cross-Site Scripting vulnerability. To achieve this, the attacker must control the values of the `$item` array returned by the SQL query to start with the string *“http”*. This causes the control flow to branch into the program block which processes links automatically, starting on line 19 of the following source code. ```php core/admin/ajax/dashboard/check-module-integrity.php <?php foreach ($form["fields"] as $field => $resource) { ⋮ if ($resource["type"] == "text" && is_string($item[$field])) { $href = $item[$field]; ⋮ if (substr($href,0,4) == "http" && strpos($href,WWW_ROOT) === false) { ⋮ if (!$admin->urlExists($href)) $integrity_errors[$field] = array("a" => array($href)); } } } ⋮ foreach ($integrity_errors as $field => $error_types) { foreach ($error_types as $type => $errors) { foreach ($errors as $error) { ?> <p>Broken <?=(($type == "img") ? "Image" : "Link")?>: <?=$error?> in field &ldquo;<?=$form["fields"][$field]["title"]?>&rdquo;</p> ``` For each potential link, the program will send a web request via the `urlExists()` method. If the request fails, the data is added to the error array `$integrity_errors` on line 22. The values of this array are printed unsanitized in a `foreach` loop on line 30 leading to the output of our SQL Injection directly next to our Cross-Site Scripting payload extracting the data to an external server. Although its usually tricky to exploit a SQL Injection via CSRF [as seen here](https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/#blind-sql-injection-exploitation-via-csrf), we can in this case make use of the Cross-Site Scripting vulnerability to smuggle out the results easily with an AJAX request. ## Phar Deserialization via CURL wrapper [Curls CLI file feature](https://curl.haxx.se/docs/manpage.html#-d) allows to upload files from the file system by prepending the filename with an `@` symbol. Adding the curl option `-d param=@/path/to/filename` in the curl CLI would comfortably upload the contents of the specified filename to the target server. BigTree developed its own curl wrapper function `BigTree::cURL()` to implement this feature. ```php core/inc/bigtree/utils.php public static function cURL($url, $post = false, $options = [], $strict_security = true, $output_file = false, $updating_bundle = false) { ⋮ if ($post !== false) { if (function_exists("curl_file_create") && is_array($post)) { foreach ($post as &$post_field) { if (substr($post_field, 0, 1) == "@" && file_exists(substr($post_field, 1))) { $post_field = curl_file_create(substr($post_field, 1)); ``` The method receives data to be send in the HTTP body as the second argument `$post` of the static method. On line 268 it iterates over the array and checks the values for an `@` character which is potentially suffixed with a filename. This filename is used as an argument to `file_exists()` on line 270 before adding the contents of the file to the curl request, leading to a Phar Deserialization vulnerability if we have control over a value of the `$post` array. This assumption is true for the URL `http://<host>/bigtree446/site/index.php/admin/developer/services/instagram/return/?code=@phar://myphar.phar` which routes an authenticated backend user directly to the following entry point: ```php core/admin/modules/developer/services/common/return.php $token = $api->oAuthSetToken($_GET["code"]); ``` The user input stored in the `code` parameter is passed as the `$code` argument to the `oAuthSetToken()` method. This forwards the value directly into the `BigTree::cURL()` wrapper from above, leading to the Phar Deserialization vulnerability. ```php core/inc/bigtree/apis/_oauth.base.php public function oAuthSetToken($code) { $response = json_decode(BigTree::cURL($this->TokenURL,array( "code" => $code, ⋮ ))); ``` To exploit this vulnerability, a file must be uploaded. This can only be achieved by correctly posting a CSRF token. However, this CSRF token can be stolen by exploiting the Cross-Site Scripting vulnerability from above, and stealing the token. This will enable a file upload which can be used in the Phar Deserialization process.