| Titel | code-projects Simple ChatBox In PHP 1.0 SQL Injection |
|---|
| Beschreibung | The Simple Chatbox in PHP v1.0 is vulnerable to a SQL Injection vulnerability in the message submission functionality.
The vulnerability exists in the following endpoint:
/SimpleChatbox_PHP/chatbox/insert.php
The application processes user-supplied input through the msg parameter via an HTTP POST request. This parameter is directly used in backend SQL queries without proper validation, sanitization, or parameterized query handling.
Because the application fails to properly neutralize special SQL characters, attackers can inject malicious SQL payloads into the msg parameter. The input is incorporated into SQL statements without using prepared statements, allowing attackers to manipulate query logic.
During testing, a time-based SQL injection payload was successfully executed:
'+(select*from(select(sleep(20)))a)+'
When the payload is submitted, the server response is delayed by approximately 20 seconds, confirming that the injected SQL query is executed by the database.
This demonstrates that the application is vulnerable to time-based blind SQL injection, where attackers can infer database behavior based on response delays. |
|---|
| Quelle | ⚠️ https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/SQL%20Injection%20in%20Simple%20Chatbox%20PHP%20msg%20Parameter.md |
|---|
| Benutzer | AhmadMarzook (UID 96211) |
|---|
| Einreichung | 03.04.2026 20:54 (vor 10 Tagen) |
|---|
| Moderieren | 12.04.2026 20:11 (9 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 357041 [code-projects Simple ChatBox bis 1.0 Endpoint /chatbox/insert.php msg SQL Injection] |
|---|
| Punkte | 20 |
|---|