CVE-2021-27948 MyBB後台用戶管理用戶組SQL注入漏洞

From PwnWiki

Revision as of 10:51, 21 March 2021 by Pwnwiki (talk | contribs) (Created page with "<languages /> <translate> ==影響版本== </translate> <pre> < 1.8.26 </pre> <translate> ==漏洞利用== </translate> <translate> 先隨便創個用戶組，接著新...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Other languages:

Chinese • ‎中文（台灣）‎

影響版本

< 1.8.26

漏洞利用

先隨便創個用戶組，接著新建一個用戶，並設置他的用戶組；

在profile中選擇組；

點擊保存抓包分析；

修改addtionalgroups參數為sql注入payload：

1‘ and sleep(10) and '

選擇banning模塊，並選擇我們剛剛設置的用戶;

點擊“Ban user”，抓包分析;

可以看到成功延時。

Retrieved from "https://pwnwiki.com/index.php?title=CVE-2021-27948_MyBB後台用戶管理用戶組SQL注入漏洞&oldid=546"