Vulnerability recurrence:

1、 http://172.16.108.111/admin Login to the background

https://prod-files-secure.s3.us-west-2.amazonaws.com/efd914e8-200f-4c06-bad3-75e9c0489fca/73d8ae62-1f36-4c0c-bfb5-848aebee26b7/image1.png

  1. Added administrator to use burpsuite for packet capture

    https://prod-files-secure.s3.us-west-2.amazonaws.com/efd914e8-200f-4c06-bad3-75e9c0489fca/3aeccb22-5efe-48d8-b689-c3006166b566/image2.png

  2. The request was made using the following payload, with a success delay of 5 seconds

    https://prod-files-secure.s3.us-west-2.amazonaws.com/efd914e8-200f-4c06-bad3-75e9c0489fca/cb46fc93-5b9f-40aa-bd9a-48de7acfbc42/image3.png

  3. sqlmap

    https://prod-files-secure.s3.us-west-2.amazonaws.com/efd914e8-200f-4c06-bad3-75e9c0489fca/b26c5b51-5133-4c8b-b457-733a8b04b9ea/image4.png

Injection point:

  1. Parameter A_newsauth

    https://prod-files-secure.s3.us-west-2.amazonaws.com/efd914e8-200f-4c06-bad3-75e9c0489fca/3e194d27-e4c9-4e66-ba42-3f7bc56ac8aa/image5.png

  2. Parameter A_bbsauth

    https://prod-files-secure.s3.us-west-2.amazonaws.com/efd914e8-200f-4c06-bad3-75e9c0489fca/c97af336-a826-4934-8365-00e394ad7ac2/image6.png

  3. Parameter A_productauth

    https://prod-files-secure.s3.us-west-2.amazonaws.com/efd914e8-200f-4c06-bad3-75e9c0489fca/0dfa2287-b9c5-4b8c-a6bd-94315e414ff0/image7.png

  4. Parameter A_textauth

    https://prod-files-secure.s3.us-west-2.amazonaws.com/efd914e8-200f-4c06-bad3-75e9c0489fca/9435cd24-acd4-45ef-98aa-0361bb2f0e3b/image8.png

  5. Parameter A_formauth

    https://prod-files-secure.s3.us-west-2.amazonaws.com/efd914e8-200f-4c06-bad3-75e9c0489fca/5d8ecc53-7c39-42d7-b3bd-47f978e78e37/image9.png

    Vulnerability Analysis:

    1. The vulnerability is located at http://172.16.108.111/admin/ajax.php?type=admin&action=add&lang=0

    Locate Ajax.php by source code

    https://prod-files-secure.s3.us-west-2.amazonaws.com/efd914e8-200f-4c06-bad3-75e9c0489fca/7c1c3059-7041-4f47-951a-0fa939056374/image10.png

  6. The filter file is functions.php.

    https://prod-files-secure.s3.us-west-2.amazonaws.com/efd914e8-200f-4c06-bad3-75e9c0489fca/8dd1e207-5d2e-40a0-a4fe-6bfa4e6e1c77/image11.png

  7. All POST requests go through the check_input function

    https://prod-files-secure.s3.us-west-2.amazonaws.com/efd914e8-200f-4c06-bad3-75e9c0489fca/cb5090af-2d77-4c57-a40f-5f4cdad03e3e/image12.png

  8. If it's an array, it will bypass the filtering rules.

    https://prod-files-secure.s3.us-west-2.amazonaws.com/efd914e8-200f-4c06-bad3-75e9c0489fca/77456f7e-4142-4ded-91a3-757cc5120350/image13.png

  9. The data is returned and then iterated and spliced leading to SQL injection

    https://prod-files-secure.s3.us-west-2.amazonaws.com/efd914e8-200f-4c06-bad3-75e9c0489fca/b56e5376-b240-4e81-94af-2bb7fda1418e/image14.png

    https://prod-files-secure.s3.us-west-2.amazonaws.com/efd914e8-200f-4c06-bad3-75e9c0489fca/cc674f3c-1674-4019-96c9-54e486417984/image15.png