Skip to content

phtcloud-dev/CVE-2024-36837

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 

Repository files navigation

CVE-2024-36837 POC

write URL in url.txt and run CVE-2024-36837.py
poc

CVE-2024-36837

In my freshman year, I found that an educational institution used CRMEB Mall as an online store in an Internet protection action. After testing, sql injection vulnerability was found. After setting up a local environment, the vulnerability was found in CRMEB version of CRMEB-KY v5.2.2 even higher

Sqlmap: python sqlmap.py -u “http://XXX.URL/api/products?limit=20&priceOrder=&salesOrder=&selectId=0”
Vulnerability code area
File: website directory/app/API/controller/PC/ProductController. PHP
image
In the getProductList function, passing arguments that are not validated or processed can easily result in the execution of malicious sql commands
Suggested fixes:
Using a web firewall
Conduct regular security audits and vulnerability assessments to identify and mitigate potential security issues.
Vendor URL: https://crmeb.com/
Project making warehouse URL: https://github.com/crmeb/CRMEB/tree/master
Vendor Information:
Xi 'an Zhongbang network Technology Co., LTD
西安众邦网络科技有限公司
image

About

CVE-2024-36837 POC

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages