Headline
CVE-2022-27962: Bluecms v1.6 has an SQL injection vulnerability at cooike · Issue #1 · xunyang1/my-vulnerability
Bluecms 1.6 has a SQL injection vulnerability at cooike.
Bluecms_v1.6_sqlinj****Find by rerce****Bluecms_v1.6 download page :
http://lp.downcode.com/j_14/j_14745_bluecms.rar
vulnerability code:
include/common.inc.php line 115:
For the $user_name parameter above,just passed in the addslashes function
Moreover, it can be seen from the configuration file that GB2312 encoding is adopted, so wide byte injection can be considered to bypass addslashes.
When we enter Cookie: BLUE[user_name]=admin%df’.We can see the MySQL error
payload: Cookie: BLUE[user_name]=admin%df’ or sleep(5)#
Successful delay 5s.
Bluecms_v1.6_sqlinj_2
The same problem appears on line 110
follow
Same as the previous problem.the $user_name parameter above,just passed in the addslashes function
payload:Cookie: BLUE[user_id]=1;BLUE[user_name]=admin%df’ or sleep(5)#;BLUE[user_pwd]=aaa
Successful delay 5s.