Skip to content

SQL Injection in tag add function #4

Open
@iflody

Description

@iflody

There is an sql injection in tag adding function, its location is in /dapur/apps/app_article/sys_article.php

No filter has been used in the $_POST['name'];

image

if(isset($_POST['add_tag']) or isset($_POST['save_tag'])){
        $t = striptags($_POST['name']);
	if(!empty($t)) {
            
		$qr=$db->insert(FDBPrefix.'article_tags',array("",striptags($_POST['name']),striptags($_POST['desc']),"")); 		
		if($qr AND isset($_POST['save_tag'])){		
			notice('success',Tag_Added);	
			redirect('?app=article&view=tag');
		}
		else if($qr){ 
			$sql2 = $db->select(FDBPrefix.'article_tags','*','','id DESC'); 
			$qrs = $sql2[0];
			notice('success',Tag_Added);
			redirect("?app=article&view=tag&act=edit&id=$qrs[id]");
		}
		else {			
			notice('error',Tag_Exists,2);
		}					
	}
	else {				
		notice('error',Status_Invalid,2);
	}
}

In the database insert function, there is no filter function either, just add a couple of " beside the tag name. So when we update the tag name or add a tag name there is always the problem of sql injection.

URL: /fiyo/dapur/index.php?app=article&view=tag&act=edit&id=79
DATA: apply_tag=Simpan&id=79&name=1%22or%221&desc=1

We need a account to do this thing.

Discover: Chaitin Technology

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions