1.wayang-cms official download address

Github official download,wayang-cms

2.Build a recurring environment

Download and install phpStudy, download wayang-cms and copy all files inside to phpStudy's web directory, connect to mysql and create a new database wayang-cms, start Apache to access set up installation. After the installation is complete, import cms.sql in wy_install into the database, and the successful operation is as follows

3.Vulnerability analysis

The reason for the vulnerability is that the system did not perform any security verification on the visitor's IP address when recording the visitor's IP, and directly spliced the data passed by the user into the SQL statement for execution. The location of the vulnerability is in lines 8 to 10 of wy_controlls/wy_side_visitor.php. In line 8 of the code, the IP address, browser, time, etc. of the user accessing the system are spliced with SQL statements using the Insert keyword. The code uses the ip() method to obtain the visitor's IP address.

Locate the file of the ip() method to view the specific implementation. This method is located in wy_controlls/wy_side_visitor.php. You can see through the code that if there are fields such as X-Forwarded-For in the HTTP request header, it will be taken directly from the HTTP request header Value and return.

Attackers can submit dirty data for malicious SQL injection.

$queryi="INSERT INTO `wy_visitor`(`visitor_ipaddress`, `visitor_user_agent`, `visitor_date`, `visitor_online`, `visitor_online_status`) 
  VALUES ('".ip()."','".$browser."',CURDATE(),CURRENT_TIMESTAMP,1) ON DUPLICATE KEY UPDATE `visitor_online`=CURRENT_TIMESTAMP, `visitor_online_status`=1";

4.Vulnerability proof

The tools used are sqlmap and burpsuite. Visit the homepage of the website and capture the package, and add the X-Forwarded-For: field, and add the * sign after for the purpose of allowing sqlmap to identify the injection point.

Save the data package as vul.txt and use sqlmap to verify, execute the following command.

python2 sqlmap.py -r vul.txt --batch -v 3 --risk 3 --level 5 

Try to get the database name of the system

python2 sqlmap.py -r vul.txt --batch -v 3 --risk 3 --level 5 --dbs

Try to get the current user of the database

python2 sqlmap.py -r vul.txt --batch -v 3 --risk 3 --level 5 --current-user

It is found through testing that the vulnerability exists and can be exploited.