Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

taocms3.0.2 SQL injection exists in the background #27

Open
zhendezuile opened this issue Feb 16, 2022 · 0 comments
Open

taocms3.0.2 SQL injection exists in the background #27

zhendezuile opened this issue Feb 16, 2022 · 0 comments

Comments

@zhendezuile
Copy link

Vulnerability file address:
\include\Model\Category.php
1
It can be seen that the update function does not filter the id. After obtaining the id with the columnsdata function, it is brought into the updatelist function to update the data.
2
Then bring the id into the getlist function for the select query
3
Finally, the id is brought into the updatelist function for an update
As can be seen from the above, a total of three SQL statements were executed, and none of the ids were filtered.

Vulnerability to reproduce:
1、Build the environment locally, and then enter the background
2、Click the Manage section, then click Edit, and finally click Submit
4
5
3、Then use burpsuite to capture a packet and send the packet to the repeater module
6
4、The vulnerability variable is id, and the payload is constructed as: and if(ascii(substr(database(),1,1))=116,sleep(2),0)
Click send, you can see that the successful delay is 6 seconds,as mentioned earlier, this is because the SQL statement is executed 3 times
7

Repair suggestion:
filter by id
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zhendezuile