SQL Injection in star7th/showdoc


Reported on

Jan 25th 2022


The uid parameter does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection.

Proof of Concept

Time based:

POST /server/index.php?s=/api/adminUser/addUser HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/plain, */*
Cookie: PHPSESSID=c35a50119eee7d09650616215ccc2693; think_language=en-US; cookie_token=248df88efcc25f6b5aef3ad5cf4fd2c145be19155add1c78609427a37f88d267
Accept-Encoding: gzip,deflate
Content-Length: 106
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Host: host.com
Connection: Keep-alive



A successful attack may result the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, write file to server lead to Remote code Execute, or write script to extract data

We are processing your report and will contact the star7th/showdoc team within 24 hours. a year ago
laladee submitted a
a year ago
star7th validated this vulnerability a year ago
laladee has been awarded the disclosure bounty
The fix bounty is now up for grabs
a year ago


I've fixed it. You can check it https://github.com/star7th/showdoc/commit/2b34e267e4186125f99bfa420140634ad45801fb

a year ago


Yes, I've submitted a patch above :) however the Issue has been resolved.

star7th marked this as fixed in 2.10.3 with commit 2b34e2 a year ago
star7th has been awarded the fix bounty
This vulnerability will not receive a CVE
a year ago


I found that there was a patch, but I didn't notice it. I fixed all the problems that others fed back before, so I habitually didn't see the patch. Pay attention next time

to join this conversation