There are two parameters in the file that may be injected.
Controller at /upload/protected/modules/admini/views/post/index.php
There is no parameter filtering here, and these parameters are brought into the database for query, then there may be a SQL injection vulnerability here.
Find the location of the vulnerability url: http://xxx/bage/index.php?r=admini/default/index#2_0
Impact parameters:
Title
How to affect the parameter title, click on the query, and view the request package through the burst suite.
Vulnerability POC Request Package:
GET /baguo/index.php?r=admini%2Fpost%2Findex&catalogId=3&title=111&titleAlias=12&searchsubmit=%E6%9F%A5%E8%AF%A2 HTTP/1.1
Host: 192.168.238.183
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:62.0) Gecko/20100101 Firefox/62.0
URL:https://github.com/bagesoft/bagecms/blob/master/upload/protected/modules/admini/views/post/index.php
There are two parameters in the file that may be injected.



Controller at /upload/protected/modules/admini/views/post/index.php
There is no parameter filtering here, and these parameters are brought into the database for query, then there may be a SQL injection vulnerability here.

Find the location of the vulnerability url:
http://xxx/bage/index.php?r=admini/default/index#2_0
Impact parameters:
Title
How to affect the parameter title, click on the query, and view the request package through the burst suite.
Vulnerability POC Request Package:
GET /baguo/index.php?r=admini%2Fpost%2Findex&catalogId=3&title=111&titleAlias=12&searchsubmit=%E6%9F%A5%E8%AF%A2 HTTP/1.1
Host: 192.168.238.183
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,zh-CN;q=0.8,zh;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.238.183/baguo/index.php?r=admini%2Fpost%2Findex&catalogId=3&title=111&titleAlias=12&searchsubmit=%E6%9F%A5%E8%AF%A2
Cookie: cscms_admin_id=TN06j%2Ff3Rcup; cscms_admin_login=da84ujOoaQEpA6h2JA4p0WXuSzopPDVz5QulrYh5_4DRf3btdjJu0A; PHPSESSID=nljn9ru12buunjvvi012qlj690
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1
Recurring steps:
There is a query button at the top right to query.
3.burp suite capture packet analysis.
Inject test on the tittlealias
Use sqlmap to verify that there is an injection point.
The text was updated successfully, but these errors were encountered: