atjiu
commented
3 years ago 感谢反馈,已经将 ${} 改为 #{}, 测试了一下,没有问题了。再次感谢
Closed Dengxu111 closed 3 years ago
atjiu
commented
3 years ago 感谢反馈,已经将 ${} 改为 #{}, 测试了一下,没有问题了。再次感谢
Official website of the manufacturer involved: https://17dev.club/ Source code download address: https://github.com/tomoya92/pybbs Framework version: V5.2.1 Vulnerability type: SQL injection Vulnerability status: not fixed Vulnerability level: high
Code analysis and vulnerability recurrence: As can be seen from screenshot below(see the upper left mark of Figure 1.1 for the detailed code path), the "$" symbol is used in the SQL statement in line 83 of the code, resulting in a possible SQL injection vulnerability. From this SQL section, we trace back to the interface functions, and then we find that the SQL section is the topic query SQL of the user's main interface.
There is no front-end filtering operation in the input box, and the existence of the vulnerability can be verified manually. Start the project, log in the front end after registering users, create a new topic with the content of "1111111" and the title of "test", and then enter 2 in the search bar, and no data can be found.However, enter '2%' or 1 = 1 -- '(including spaces) , proving that there is a SQL injection vulnerability.
Here is the result of sqlmap:
Here is the packet content:
GET /search?keyword=2 HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Referer: http://localhost:8080/search?keyword=2 Cookie: Idea-54cb6313=611cbcaa-eb60-4866-8b10-8f2fea455b22; Authorization=eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiIxIiwiZXhwIjoxNTk5MDE3NzgzLCJ1c2VySWQiOjEsImlhdCI6MTU5ODkzMTM4MywiYWNjb3VudCI6ImFkbWluIiwidXNlcktleSI6Inh4eHgifQ.3MRd8n5x78QuNnClBjWZxc4Y4oplRV6mtBd53m5FghR1ilaqt7FczhIUyryrjRme12TBgwrzI-qGs3eHN5_q4g; JSESSIONID=UMjiO7zbFl9WqWoAVl0PqfFR4PtuQkZBamTULP5y; user_token=b8c937e7-1494-4b7d-bb58-e1442a0d0f74 Upgrade-Insecure-Requests: 1