The variable data.balance represents the amount of recharge. The function rechargeAction increases the amount of money by the specified user, but lacks sufficient checks for data.balance, which results in SQL injection when database update operation is performed.
Local Test
Enter the background of the system, select user recharge
Modify the balance to (select if(left(version(),1)=5,sleep(5),sleep(10))). it was found that the replenishment was successful and the response time was extended by 5 seconds, proving that our statement was successfully injected into the database for execution.
Database Execution Log
The text was updated successfully, but these errors were encountered:
Find a code execution vulnerability in cmswing project version 1.3.8,Details can be found in the analysis below.
Vulnerability Location
The vulnerability lies in the
rechargeActionfunction in thecmswing/src/controller/admin/user.jsThe variable
data.balancerepresents the amount of recharge. The function rechargeAction increases the amount of money by the specified user, but lacks sufficient checks fordata.balance, which results in SQL injection when database update operation is performed.Local Test
Enter the background of the system, select user recharge
Modify the
balanceto(select if(left(version(),1)=5,sleep(5),sleep(10))). it was found that the replenishment was successful and the response time was extended by 5 seconds, proving that our statement was successfully injected into the database for execution.Database Execution Log
The text was updated successfully, but these errors were encountered: