Submit #43540: There are file upload and SQL injection vulnerabilities in the zoo management systeminfo

TitelThere are file upload and SQL injection vulnerabilities in the zoo management system
BeschreibungThere are file upload and SQL injection vulnerabilities in the zoo management system. When querying the animal species, the query content input by the user is not checked. The input content is controllable by the user. The user can construct a malicious payload to attack the website. Vulnerability file location: / pages / animals.php look at this source code ``` $classId=$_ GET['class_id']; ``` There is no $class_ ID, where malicious data can be constructed to attack the website database. The construction statement is as follows ``` ? class_ id=0' union select 1,database(),group_ concat(table_name) ,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from information_ schema. tables where table_ schema='zoomanagement'--+ ``` https://s1.ax1x.com/2022/08/12/vJ4zHH.png Vulnerability file location: / pages / apply_ vacancy.php look at this source code ``` $fileName = pathinfo($_FILES['cv']['name'])['filename']; $newFileName = $fileName . '_' . time(); $extension = pathinfo($_FILES['cv']['name'])['extension']; $fullName = $newFileName . '.' . $ extension; ``` The type of uploaded file is not checked here. Although the file name has been changed, the attacker can still blast the name of the uploaded file according to the law, causing arbitrary file upload and serious threat. https://s1.ax1x.com/2022/08/12/vJ5pEd.png Source link https://www.sourcecodester.com/php/15347/zoo-management-system-source-code-php-mysql-database.html
Quelle⚠️ https://www.sourcecodester.com/php/15347/zoo-management-system-source-code-php-mysql-database.html
Benutzer
 qidian (UID 30810)
Einreichung12.08.2022 09:34 (vor 4 Jahren)
Moderieren12.08.2022 12:59 (3 hours later)
StatusAkzeptiert
VulDB Eintrag206249 [SourceCodester Zoo Management System /pages/animals.php class_id SQL Injection]
Punkte20

Might our Artificial Intelligence support you?

Check our Alexa App!