| عنوان | code-projects Simple ChatBox In PHP 1.0 SQL Injection |
|---|
| الوصف | The Simple Chatbox in PHP v1.0 is vulnerable to a SQL Injection vulnerability in the message submission functionality.
The vulnerability exists in the following endpoint:
/SimpleChatbox_PHP/chatbox/insert.php
The application processes user-supplied input through the msg parameter via an HTTP POST request. This parameter is directly used in backend SQL queries without proper validation, sanitization, or parameterized query handling.
Because the application fails to properly neutralize special SQL characters, attackers can inject malicious SQL payloads into the msg parameter. The input is incorporated into SQL statements without using prepared statements, allowing attackers to manipulate query logic.
During testing, a time-based SQL injection payload was successfully executed:
'+(select*from(select(sleep(20)))a)+'
When the payload is submitted, the server response is delayed by approximately 20 seconds, confirming that the injected SQL query is executed by the database.
This demonstrates that the application is vulnerable to time-based blind SQL injection, where attackers can infer database behavior based on response delays. |
|---|
| المصدر | ⚠️ https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/SQL%20Injection%20in%20Simple%20Chatbox%20PHP%20msg%20Parameter.md |
|---|
| المستخدم | AhmadMarzook (UID 96211) |
|---|
| ارسال | 03/04/2026 08:54 PM (11 أيام منذ) |
|---|
| الاعتدال | 12/04/2026 08:11 PM (9 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 357041 [code-projects Simple ChatBox حتى 1.0 Endpoint /chatbox/insert.php msg حقن SQL] |
|---|
| النقاط | 20 |
|---|