Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL injection vulnerability can inject user data #5

Open
GIYItalk opened this issue Feb 13, 2019 · 0 comments
Open

SQL injection vulnerability can inject user data #5

GIYItalk opened this issue Feb 13, 2019 · 0 comments

Comments

@GIYItalk
Copy link

URL:https://github.com/bagesoft/bagecms/blob/master/upload/protected/modules/admini/views/post/index.php

There are two parameters in the file that may be injected.
Controller at /upload⁩/protected/⁨modules/admini/views/post⁩/index.php
image
image
image

There is no parameter filtering here, and these parameters are brought into the database for query, then there may be a SQL injection vulnerability here.
Find the location of the vulnerability url:
http://xxx/bage/index.php?r=admini/default/index#2_0
image

Impact parameters:
Title
How to affect the parameter title, click on the query, and view the request package through the burst suite.

Vulnerability POC Request Package:
GET /baguo/index.php?r=admini%2Fpost%2Findex&catalogId=3&title=111&titleAlias=12&searchsubmit=%E6%9F%A5%E8%AF%A2 HTTP/1.1

Host: 192.168.238.183

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:62.0) Gecko/20100101 Firefox/62.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8

Accept-Language: en-US,zh-CN;q=0.8,zh;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Referer: http://192.168.238.183/baguo/index.php?r=admini%2Fpost%2Findex&catalogId=3&title=111&titleAlias=12&searchsubmit=%E6%9F%A5%E8%AF%A2

Cookie: cscms_admin_id=TN06j%2Ff3Rcup; cscms_admin_login=da84ujOoaQEpA6h2JA4p0WXuSzopPDVz5QulrYh5_4DRf3btdjJu0A; PHPSESSID=nljn9ru12buunjvvi012qlj690

Connection: close

Upgrade-Insecure-Requests: 1

DNT: 1
Recurring steps:

  1. First enter the website background management page.
  2. Go to the content, content management page.
    image
    There is a query button at the top right to query.
    3.burp suite capture packet analysis.

image
Inject test on the tittlealias
Use sqlmap to verify that there is an injection point.
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant