Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Bugs] Multiple Sql Injection #200

Open
qmss opened this issue Dec 21, 2021 · 2 comments
Open

[Security Bugs] Multiple Sql Injection #200

qmss opened this issue Dec 21, 2021 · 2 comments

Comments

@qmss
Copy link

qmss commented Dec 21, 2021

Hello, I found some serious bugs in Slims8 Akasia 8.3.1 (latest version).
First of all, there is a SQL injection bug. This injection exists in multiple files, and the file where the search keyword $_GET['dir'] is located all has SQL injection.
url:http://localhost/admin/modules/bibliography/index.php?itemID=17&detail=true&ajaxload=1&datatablefld=ISBN%2FISSN&dir=asc
// change the record sorting if there fld var in URL $_fld_sort = $this->table_ID.'fld'; $_dir = 'ASC'; $_next_dir = 'DESC'; $_sort_dir_info = __('ascendingly'); if (isset($_GET[$_fld_sort]) AND !empty($_GET[$_fld_sort])) { $this->sql_order = 'ORDER BY'.urldecode($_GET[$_fld_sort]).''; // record order direction if (isset($_GET['dir']) AND ($_dir = trim($_GET['dir']))) { if ($_dir == 'DESC') { $_next_dir = 'ASC'; } else { $_next_dir = 'DESC'; $_sort_dir_info = __('descendingly'); } // append sort direction $this->sql_order .= $_dir; } }
You have escaped the dir string. But in fact it just appends a backslash \ before', "or . Reference from PHP mysql_real_escape_string
Therefore, if my GET variable dir does not contain these characters, sql injection will be triggered.
SQL injection demonstration dir=-test() //When the data table test does not exist, the database name is returned. slims.test
SQL injection demonstration dir=-user() //When the data table user exists, it returns to the normal page.

Example: http://localhost/admin/modules/bibliography/index.php?itemID=17&detail=true&ajaxload=1&datatablefld=ISBN%2FISSN&dir=-a()

1

2

List some pages with SQL injection: `http://localhost/admin/modules/bibliography/index.php?itemID=17&detail=true&ajaxload=1&datatablefld=ISBN%2FISSN&dir=-test() http://localhost/admin/modules/membership/member_type.php?ajaxload=1&datatablefld=Loan+Limit&dir=DESC http://localhost/admin/modules/system/user_group.php?keywords=&datatablefld=Group+Name&dir=DESC http://localhost/admin/modules/membership/index.php?datatablefld=Member+ID&dir=DESC`
@ridorido
Copy link
Collaborator

Thank you for your reporting. By the way we don't develop slims8akasia project anymore. Now, we already moved to Slims 9 with code name Bulian. Please visit our new project in here https://github.com/slims/slims9_bulian/releases

@qmss
Copy link
Author

qmss commented Dec 22, 2021

Thank you for your reporting. By the way we don't develop slims8akasia project anymore. Now, we already moved to Slims 9 with code name Bulian. Please visit our new project in here https://github.com/slims/slims9_bulian/releases

Okay, I already understand. Still hope to fix the vulnerabilities in this version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ridorido @qmss