Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bluecms V1.6 has SQL injection in line 132 of admin/area.php #3

Open
seizer-zyx opened this issue Jul 26, 2022 · 0 comments
Open

Bluecms V1.6 has SQL injection in line 132 of admin/area.php #3

seizer-zyx opened this issue Jul 26, 2022 · 0 comments

Comments

@seizer-zyx
Copy link
Owner

Bluecms_v1.6

Download

http://lp.downcode.com/j_14/j_14745_bluecms.rar

vulnerability code:

in admin/area.php line 36:
2022-07-26-16-58-55-image
Line 36 of admin/area.php is not heavily filtered, and insert at line 47 allows injection
Single quotes cannot be injected because the argument passed in is get_magic_quotes_gpc()
However, we found the use code GB2312 in the returned response header
image
image
So we can do wide-byte injection here
payload: area_name=0%df',0,0,0,0),(0,@@Version,0,0,0,0)%23&parentid=0&show_order=0&act=doadd
2022-07-26-17-14-52-image
2022-07-26-17-15-03-image
Successful injection!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant