The default database is sqlite. For testing convenience, we need to replace the default database with the mysql database.
the mysql database directory:
pbootcms\static\backup\sql\0cb2353f8ea80b398754308f15d1121e_20200705235534_pbootcms.sql
Boolean-based blind SQL injection happened in this page.
'$_ POST' sends an index array.
The values in the array are brought into the "where" condition in the form of "and".
When the condition is true:
When the condition is false:
payload:
Because the data is filtered, only 'regexp' can be used for regular matching.
For example: "username = admin" can be expressed as "username regepx 0x5E612E2A", where "5E612E2A" is the hex code of "^ a. *"
and we can get the admin account name and password
When the passed in parameter $where is an array, traverse the array, and when $where is an index array:$where_string.=$value。
2:Find the code to pass in the ‘where’ function as an index array:
Route:apps\home\controller\ParserController.php
In 'parserSearchLabel()', the incoming data is assigned to the variable "$receive" for traversal, and "$key" is brought into "request()" for filtering.
The values of the index array passed in through the above methods can only contain Chinese, letters, numbers, horizontal lines, dots, commas and spaces! It is encoded by 'htmlspecialchars()' and 'addslashes()'.
Finally, it is passed to '$where3'.
The '$where3' in 'getlists()' is controllable, and it will be brought into the statement in the form of 'and'.
The text was updated successfully, but these errors were encountered:
PbootCMS 3.0.4 has SQL injection
Submitter name :
Vulnerability Type :
SQL Injection
Vulnerability Version :
3.0.4
Recurring environment:
Vulnerability Description AND recurrence:
The default database is sqlite. For testing convenience, we need to replace the default database with the mysql database.
the mysql database directory:
pbootcms\static\backup\sql\0cb2353f8ea80b398754308f15d1121e_20200705235534_pbootcms.sql
Boolean-based blind SQL injection happened in this page.
'$_ POST' sends an index array.
The values in the array are brought into the "where" condition in the form of "and".
When the condition is true:
When the condition is false:
payload:


Because the data is filtered, only 'regexp' can be used for regular matching.
For example: "username = admin" can be expressed as "username regepx 0x5E612E2A", where "5E612E2A" is the hex code of "^ a. *"
and we can get the admin account name and password
Detailed information:
1:
Vulnerability code:core\basic\Model.php
When the passed in parameter $where is an array, traverse the array, and when $where is an index array:$where_string.=$value。
2:Find the code to pass in the ‘where’ function as an index array:
Route:apps\home\controller\ParserController.php
In 'parserSearchLabel()', the incoming data is assigned to the variable "$receive" for traversal, and "$key" is brought into "request()" for filtering.
The values of the index array passed in through the above methods can only contain Chinese, letters, numbers, horizontal lines, dots, commas and spaces! It is encoded by 'htmlspecialchars()' and 'addslashes()'.
Finally, it is passed to '$where3'.
The '$where3' in 'getlists()' is controllable, and it will be brought into the statement in the form of 'and'.
The text was updated successfully, but these errors were encountered: