icms V7.0.16 后台备份数据库sql注入

1、漏洞位置:后台数据库管理—备份数据库
1

2、注入点在267行的$tabledb[],没有单引号保护和进一步的过滤,直接代入数据库查询
2

3、后台数据库管理—备份数据库—抓包
数据包:

POST /icms/admincp.php?app=database&do=batch&frame=iPHP&CSRF_TOKEN=147c3ba71iBSwv46u3-S6929ZzoyYEcNomQKbIGgnjUQ-YD1D9onuehUTP0cXFsOl4Zyrwm6-JagBG4gwWvM3RaVf8mQ5WgRhJ98czs HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/icms/admincp.php?app=database&do=backup
Cookie: iCMS_ADMIN_AUTH=177606eayar4nMr06uzE8qLtqrHd_-2aqf-LLtx_wGXYxb89E1f5eStc2KHz-r3SJRpcPyesmzEsAwFbpDOBbsXurTZImR75bCQKEo1r_pLLajmwD_2L7Q
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

table%5B%5D=icms_user_data&sizelimit=2048&batch=backup

sqlmap进行测试:

3

测试结果:
4