Gửi #257435: Fahuo100 Fahuo100 ≤v1.1_build20230918 SQL Injectionthông tin

tiêu đềFahuo100 Fahuo100 ≤v1.1_build20230918 SQL Injection
Mô tảThis is an overview of a SQL injection vulnerability in the Fahuo100 software. In version v1.1_build20230918 and below of Fahuo100, a SQL injection vulnerability was found in the member/login.php file. In this file, the parameters $_GET["M_pwd"] and M_id are decoded by the function xcode, and the result is directly combined into the SQL query. This suggests that SQL injection could potentially be performed here. We have created a script to calculate M_pwd using a sleep query. We can then use Postman to send a sleep query to detect whether there's a SQL injection point here or not. If this vulnerability exists, an attacker could exploit it to access or modify database data without proper permissions, which could lead to data leaks, data corruption, or other security issues. It is recommended to immediately upgrade to the latest version or apply security patches to prevent such attacks.
Nguồn⚠️ https://note.zhaoj.in/share/az24SaQJn1UQ
Người dùng
 glzjin (UID 59815)
Đệ trình23/12/2023 16:19 (cách đây 3 những năm)
Kiểm duyệt30/12/2023 17:45 (7 days later)
Trạng tháiđược chấp nhận
Mục VulDB249390 [Shipping 100 Fahuo100 đến 1.1 member/login.php M_pwd Tiêm SQL]
điểm20

Do you want to use VulDB in your project?

Use the official API to access entries easily!