| عنوان | SourceCodester Simple Forum Website 1.0 SQL Injection |
|---|
| الوصف | SQL Injection vulnerability was discovered in Sourcecodester's Sentiment Based Movie Success Rating Prediction System (user registration)
Official Website: https://www.sourcecodester.com/php/15104/sentiment-based-movie-rating-system-using-phpoop-free-source-code.html
Version: 1.0
Related Code file: /msrps/classes/Users.php
The email variable is directly inserted into the SQL query without any escaping or parameterization. An attacker could inject malicious SQL code by manipulating the email field. in (line number 135 of Users.php)
Injection parameter: email
Step to Reproduce:
1. Install and Setup the Movie Rating Application
2. click of Login
3. Click on Create a New Account Option
4. Fill the form and intercept the POST request in burp and copy the request
5. Store this request in a .txt file eg: register_req.txt
6. Run sqlmap
`sqlmap -r register_req.txt -p email`
Observe the SQL injection |
|---|
| المصدر | ⚠️ https://github.com/gurudattch/CVEs/blob/main/Sourcecodester-SQLi-Sentiment-Based-Moive-Rating.md |
|---|
| المستخدم | guru (UID 74056) |
|---|
| ارسال | 29/08/2024 11:50 AM (2 سنوات منذ) |
|---|
| الاعتدال | 30/08/2024 09:50 AM (22 hours later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 276222 [SourceCodester Sentiment Based Movie Rating System 1.0 User Registration Users.php?f=save_client email حقن SQL] |
|---|
| النقاط | 20 |
|---|