| tiêu đề | XHCMS login.php page, user parameter has SQL injection |
|---|
| Mô tả | A vulnerability classified as critical was found in XHCMS. This affects the section of the file login.php where an operation on the parameter user leads to sql injection
Source code analysis found that the login page directly through the POST parameters received user, password, and did not do any filtering, and then directly executed the UPDATE/DELETE/INSERT statements, we can directly report error injection, here constitutes a sql injection vulnerability.
The next process is to query the user name, if the user name exists, the password obtained from the POST will be md5 hashed, and then compared with the corresponding password in the database.
|
|---|
| Nguồn | ⚠️ https://github.com/wswokao/wswoako.github.io/blob/main/README.md |
|---|
| Người dùng | parad0x (UID 42770) |
|---|
| Đệ trình | 13/03/2023 04:12 (cách đây 3 những năm) |
|---|
| Kiểm duyệt | 13/03/2023 08:44 (5 hours later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 222874 [XHCMS 1.0 POST Parameter login.php Người dùng Tiêm SQL] |
|---|
| điểm | 20 |
|---|