Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Time-based blind SQL injection Vulnerability in CSZCMS-1.2.4 #22

Closed
edwatering opened this issue Nov 14, 2019 · 2 comments
Closed

Time-based blind SQL injection Vulnerability in CSZCMS-1.2.4 #22

edwatering opened this issue Nov 14, 2019 · 2 comments

Comments

@edwatering
Copy link

Hi, @cskaza and I found an arbitrary file upload vulnerability in cszcms-1.2.4. The vulnerable code is on cszcms/core/MY_Security.php file line 47.
图片
I think using the function ‘escape-string’ can solve the sql injection vulnerability,but you use function 'xss_clean' after it.The function 'xss_clean' can decode str with function 'rawurldecode',so I can exploit like #19 .
Urlencode the value of UA:
Before:
User-Agent: '-( if(1=1, sleep(5), 1) )-'', '192.168.1.11','time') #
After:
User-Agent: %27%2d%28%20%69%66%28%31%3d%31%2c%20%73%6c%65%65%70%28%35%29%2c%20%31%29%20%29%2d%27%27%2c%20%27%31%39%32%2e%31%36%38%2e%31%2e%31%31%27%2c%27%74%69%6d%65%27%29%20%23
图片

Suggest: Remove function 'xss_clean' here.

@cskaza
Copy link
Owner

cskaza commented Nov 25, 2019

Thanks for your suggest. I will resolve it.

@cskaza
Copy link
Owner

cskaza commented Nov 27, 2019

This bug has been to resolved.
https://gitlab.com/cszcms/cszcms/commit/64b4851c5d79eb4ef4c4d99708d3f03c239bf63b

Thanks.

@cskaza cskaza closed this as completed Nov 27, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants