| عنوان | BiggiDroid Simple-PHP-Blog 1.0 SQL Injection |
|---|
| الوصف | In BiggiDroid Simple PHP CMS, admin/login.php concatenates the username and password directly into the SQL query without any sanitization.
An attacker can type:
xxx' OR '1'='1'--
in the password field, turning the entire WHERE clause into a always-true condition. This lets them log in to the admin panel without the correct password, achieving a “universal user” takeover. |
|---|
| المصدر | ⚠️ https://gitee.com/devilrunsun/mywork/issues/IDGMME |
|---|
| المستخدم | devil_run_sun (UID 93950) |
|---|
| ارسال | 29/12/2025 02:05 PM (4 أشهر منذ) |
|---|
| الاعتدال | 29/12/2025 04:14 PM (2 hours later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 338657 [BiggiDroid Simple PHP CMS 1.0 Admin Login /admin/login.php أسم المستخدم حقن SQL] |
|---|
| النقاط | 20 |
|---|