Skip to content
This repository has been archived by the owner on May 8, 2023. It is now read-only.

Sec issues: post.php vuln #4

Open
DeffoN0tSt3 opened this issue Aug 30, 2022 · 1 comment
Open

Sec issues: post.php vuln #4

DeffoN0tSt3 opened this issue Aug 30, 2022 · 1 comment

Comments

@DeffoN0tSt3
Copy link

DeffoN0tSt3 commented Aug 30, 2022

I was drawn to this source code after reading a quick write-up, by [nu11secur1ty] earlier today about the "author parameter from the AeroCMS-v0.0.1" being vuln to SQLi.

It seems there is more.. PoC

1] GET /post.php?p_id=

  • Response normal [7ms]
    HTTP/1.1 200 OK
    Date: Tue, 30 Aug 2022 16:00:08 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Vary: Accept-Encoding
    Content-Length: 6100
    Connection: close
    Content-Type: text/html; charset=UTF-8

2] **GET /post.php?p_id=(select*from(select(sleep(20)))a) **

  • Response abnormal [20000+ms]
    Delayed response. A clear indication of SQLi Vuln

3] Checking through the source code we can see the problem.
See post.php lines 94-106

                     $the_get_post_id = $_GET['p_id'];

                $comment_author = mysqli_real_escape_string($connection, trim($_POST['comment_author']));
                $comment_email  = mysqli_real_escape_string($connection, trim($_POST['comment_email']));
                $commet_content = mysqli_real_escape_string($connection, trim($_POST['comment_content']));

                if(!empty($comment_author) && !empty($comment_email) && !empty($commet_content))
                {
                    $query = "INSERT INTO comments (comment_post_id, comment_author, comment_email, 
                            comment_content, comment_status, comment_date) VALUES($the_get_post_id, 
                            '$comment_author', '$comment_email', '$commet_content', 'unapproved', now())";

                    $result = mysqli_query($connection, $query);

Root cause? Unsanitized input into mysqli_query

There are more vulnerabilities within this source, I'm happy to disclose, just contact me. please ensure proper sanitization of all input.

@DeffoN0tSt3 DeffoN0tSt3 changed the title Sec issues: Author param is vulnerable to SQLi ++ improper santization of user input Sec issues: Autho Aug 30, 2022
@DeffoN0tSt3 DeffoN0tSt3 changed the title Sec issues: Autho Sec issues: post.php vuln Aug 30, 2022
@nu11secur1ty
Copy link

Hello dear developer, if you soon as possible not fix these problems, you must go to the repository and terminate this project.
BR

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants