| tiêu đề | LyLme lylme_spage 2.1 SQL Injection |
|---|
| Mô tả | A time-based blind SQL injection vulnerability exists in the lylme_spage project due to improper handling of the sort parameter in an SQL INSERT statement. The parameter is directly concatenated into the SQL query without sanitization or parameterization. This allows an unauthenticated attacker to inject malicious SQL payloads that can delay server responses based on conditional logic, confirming the vulnerability. A crafted payload using the sleep() function can be used to extract information from the database (e.g., current user), one character at a time. |
|---|
| Nguồn | ⚠️ https://github.com/yanbeiii/Proof-of-Concept/blob/main/lylme-sqli.md |
|---|
| Người dùng | yanbei (UID 84800) |
|---|
| Đệ trình | 29/04/2025 17:07 (cách đây 1 Năm) |
|---|
| Kiểm duyệt | 10/05/2025 15:56 (11 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 308289 [LyLme Spage 2.1 ajax_link.php sort Tiêm SQL] |
|---|
| điểm | 20 |
|---|