| शीर्षक | 7-card Fakabao ≤v1.0_build20230805 SQL Injection |
|---|
| विवरण | The 7-card Fakabao application, specifically in version ≤v1.0_build20230805, has a SQL injection vulnerability in the file shop/wxpay_notify.php. This issue arises from the parameter out_trade_no being directly combined into the SQL query, which potentially allows for SQL injection attacks.
Once the WeChat pay channel is enabled, an attacker could use a tool like Postman to send a sleep query to it, thereby confirming the SQL injection vulnerability. An example of such a query would be:
GET /shop/notify.php?out_trade_no=1'='2' or sleep(5);%23 HTTP/1.1
Host: fakabao.lab.wetolink.com
Cookie: PHPSESSID=eohle1e8v1rfp9d4o46b1puht4
The vendor, available at https://www.7-card.cn/, has been notified about this vulnerability. As of the time of this report, users are advised to update their software to the latest version or implement other protective measures to mitigate this risk. |
|---|
| स्रोत | ⚠️ https://note.zhaoj.in/share/mqHZlle8Pcg8 |
|---|
| उपयोगकर्ता | glzjin (UID 59815) |
|---|
| सबमिशन | 22/12/2023 04:54 PM (3 साल पहले) |
|---|
| संयम | 30/12/2023 05:38 PM (8 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 249387 [7-card Fakabao तक 1.0_build20230805 shop/wxpay_notify.php out_trade_no SQL इंजेक्शन] |
|---|
| अंक | 20 |
|---|