[Vulnerability demonstration]
Firstly, the password value of the name is obtained by executing an SQL statement, assigned to $pa, and then a judgment is made. If this string of values is the same as the encrypted value of the password value received in the POST request, then setcookie
On this basis, SQL blind injection can be performed, and then DNSlog can read the value of the database
XXC385
commented
3 weeks ago
[Suggested description] RapidCMS Dev.1.3.1 was discovered to contain SQL injection vulnerability in /resource/runlogin.php
[Vulnerability Type] SQL INJECTION
[Vendor of Product] https://github.com/OpenRapid/rapidcms
[Affected Product Code Base] RapidCMS Dev.1.3.1
[Affected Component] File: /resource/runlogin.php Parameter: username&password
[Attack Type] Remote
[Vulnerability demonstration] Firstly, the password value of the name is obtained by executing an SQL statement, assigned to $pa, and then a judgment is made. If this string of values is the same as the encrypted value of the password value received in the POST request, then setcookie
On this basis, SQL blind injection can be performed, and then DNSlog can read the value of the database