You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is a SQL injection vulnerability in the UserManager::addUser method.
The related business corresponding to the method is the registered account. userid,username, nickname can be controlled, no filtering measures, and directly execute the entire SQL statement.
Looking at the code, it is found that the client does not encrypt the transmission data, and the registration information is returned to the server in clear text. Therefore, it can be injected directly in the client registration window.
yes,you are right. If you use flamingo for commercial use, remember to enhance this. Not adding this additional checks and enhancement is just for simplicity for users who study it. @marckwei
issue 1
Vulnerability
There is a SQL injection vulnerability in the
UserManager::addUser
method.The related business corresponding to the method is the registered account.
userid
,username
,nickname
can be controlled, no filtering measures, and directly execute the entire SQL statement.Looking at the code, it is found that the client does not encrypt the transmission data, and the registration information is returned to the server in clear text. Therefore, it can be injected directly in the client registration window.
Poc
payload:
ad','ad','ads',sleep(10));#
orad','ad','ads',user());#
issue 2
Vulnerability
There is a SQL injection vulnerability in the
UserManager::updateUserTeamInfoInDbAndMemory
method.newteaminfo
can be controlledPoc
The client has an input length limit, but the defense of the client is invalid. Hard code the payload into the program.
payload:
1"}]' or updatexml(2,concat(0x7e,version()),0) or'
issue 3
Vulnerability
There is a SQL injection vulnerability in the
UserManager::addGroup
method.groupname
can be controlledCreate a group chat function can trigger this function.
![image-20201126161703629](https://user-images.githubusercontent.com/53387362/100441109-e3f19500-30e0-11eb-86dc-5cd388d095b9.png)
payload:
1','','1',version());#
The client has an input length limit, but the defense of the client is invalid. Hard code the payload into the program.
Find the place where the client sends the json, and hard code the payload in.
![image-20201127173507099](https://user-images.githubusercontent.com/53387362/100441151-f66bce80-30e0-11eb-9287-5eef868dd0fa.png)
issue 4
Vulnerability
There is a SQL injection vulnerability in the
UserManager::updateUserInfoInDb
method.Poc
payload:
1' or updatexml(2,concat(0x7e,version()),0) or'
The text was updated successfully, but these errors were encountered: