Below is shown a normal request sent to the functionality.
And here is a request with a time-based payload, where one can note that the request takes a while to process due to sleep().
This can be automated with the SQLmap tool by saving the request to a text file (request.txt for example) and running the following command:
sqlmap -r request.txt --current-db --current-user
From what I could understand, the affected code seems to be the following, in the users_login_log.php file.
Code: Select all
$where_sql = '';
foreach($_POST['filters'] as $filter)
{
if(strlen($filter['value'])>0)
{
switch($filter['name'])
{
case 'type':
$where_sql .= " and is_success='" . $filter['value'] . "'";
break;
case 'users_id':
$where_sql .= " and users_id='" . $filter['value'] . "'";
break;
}
}
}
$listing_sql = "select * from app_users_login_log where id>0 {$where_sql} order by date_added desc";
$listing_split = new split_page($listing_sql,'users_login_log_listing','',CFG_APP_ROWS_PER_PAGE);
$items_query = db_query($listing_split->sql_query);
Please let me know if you need any additional information or assistance.