You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Official website of the manufacturer involved: https://17dev.club/
Source code download address: https://github.com/tomoya92/pybbs
Framework version: V5.2.1
Vulnerability type: SQL injection
Vulnerability status: not fixed
Vulnerability level: high
Code analysis and vulnerability recurrence:
As can be seen from screenshot below(see the upper left mark of Figure 1.1 for the detailed code path), the "$" symbol is used in the SQL statement in line 83 of the code, resulting in a possible SQL injection vulnerability. From this SQL section, we trace back to the interface functions, and then we find that the SQL section is the topic query SQL of the user's main interface.
There is no front-end filtering operation in the input box, and the existence of the vulnerability can be verified manually. Start the project, log in the front end after registering users, create a new topic with the content of "1111111" and the title of "test", and then enter 2 in the search bar, and no data can be found.However, enter '2%' or 1 = 1 -- '(including spaces) , proving that there is a SQL injection vulnerability.
Here is the result of sqlmap:
Official website of the manufacturer involved: https://17dev.club/
Source code download address: https://github.com/tomoya92/pybbs
Framework version: V5.2.1
Vulnerability type: SQL injection
Vulnerability status: not fixed
Vulnerability level: high
Code analysis and vulnerability recurrence:
As can be seen from screenshot below(see the upper left mark of Figure 1.1 for the detailed code path), the "$" symbol is used in the SQL statement in line 83 of the code, resulting in a possible SQL injection vulnerability. From this SQL section, we trace back to the interface functions, and then we find that the SQL section is the topic query SQL of the user's main interface.
There is no front-end filtering operation in the input box, and the existence of the vulnerability can be verified manually. Start the project, log in the front end after registering users, create a new topic with the content of "1111111" and the title of "test", and then enter 2 in the search bar, and no data can be found.However, enter '2%' or 1 = 1 -- '(including spaces) , proving that there is a SQL injection vulnerability.
Here is the result of sqlmap:
Here is the packet content:
GET /search?keyword=2 HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost:8080/search?keyword=2
Cookie: Idea-54cb6313=611cbcaa-eb60-4866-8b10-8f2fea455b22; Authorization=eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiIxIiwiZXhwIjoxNTk5MDE3NzgzLCJ1c2VySWQiOjEsImlhdCI6MTU5ODkzMTM4MywiYWNjb3VudCI6ImFkbWluIiwidXNlcktleSI6Inh4eHgifQ.3MRd8n5x78QuNnClBjWZxc4Y4oplRV6mtBd53m5FghR1ilaqt7FczhIUyryrjRme12TBgwrzI-qGs3eHN5_q4g; JSESSIONID=UMjiO7zbFl9WqWoAVl0PqfFR4PtuQkZBamTULP5y; user_token=b8c937e7-1494-4b7d-bb58-e1442a0d0f74
Upgrade-Insecure-Requests: 1
The text was updated successfully, but these errors were encountered: