CVE-2023-24775

Vulnerability

Analysis

Funadmin v3.2.0 is vulnerable to a SQL injection attack via the selectFields parameter in the member module. The flaw exists in the index method of app\backend\controller\member\Member.php, where unsanitized input is passed through to the selectList method in app\common\traits\Curd.php, and eventually into the field method of vendor\topthink\think-orm\src\db\BaseQuery.php. No filtering or parameter binding is applied, allowing an attacker to inject arbitrary SQL statements [3].

Exploitation

An attacker can exploit this vulnerability by sending a crafted GET request to the /backend/member.memberLevel/index endpoint with malicious SQL in the selectFields[value] parameter. The provided proof-of-concept (PoC) uses the extractvalue() function to trigger a SQL error that reveals database information, such as the current database user [3]. The attack does not require authentication beyond a valid session token, as the PoC includes an authorized session cookie [3].

Impact

Successful exploitation allows an attacker to read, modify, or delete database content, leading to potential data breach or complete compromise of the application backend. The vulnerability can be used to extract user credentials, session data, or other sensitive information stored in the database [3].

Mitigation

The vulnerability affects Funadmin v3.2.0; users should upgrade to a patched version if available. As of the advisory date (March 2023), no official patch has been confirmed, and the project's GitHub repository indicates active development (v7.X), so upgrading to the latest version may address this issue [1][2].