SQL injection vulnerability exists in /admin/download_frame.php(Login required) #2
Description
First, the loopholes should be reappeared, and then the reasons should be analyzed :
After logging in the background ,We know that if we need to add an app, we need a key:
So before testing, I need to create a new table in the database and add data .
The table name is "app"_ cms_list" , It then contains two pieces of data, as shown in the figure.
Next, we can visit this link to perform blind SQL injection in the "now":("dawn" is the original "admin", but the system needs us to change the background name)
http://www.dmsj.com:8081/dawn/download_frame.php?m=list&s=1&end=10&now=1+and+1=1%23
Pay attention to the use of "+" instead of "space", and unsuccessful words will lead to 302. At the same time, remember to log in to the background.
Little surprise, we also found that its cookie did not change before and after login, but it was in the header, interesting.
Next, we analyze the code :
dawn\download_frame.php
We can control them completely,Then go to "get_ List":
Our "$now" was handed over to "$params['where']"
core\common.class.php
In any case, our $where is not filtered and goes directly into the SQL statement :
We follow the "query":
core\database.class.php
nice!