| शीर्षक | SQL Injection Found in Phpgurukul's "Rail Pass Management System Project in PHP" v 1.0 |
|---|
| विवरण | In version 1,0 of Phpgurukul's "Rail Pass Management System Project in PHP", there is a unauthenticated SQL injection vulnerability present.
On the `/view-pass-detail.php` endpoint, there is a functionality to view and print your rail pass by entering it into the search box.
The pass number is a nine-digit number that must be entered exactly for your pass to appear. After entering the correct number, you are given access to the pass owner's full name, e-mail address, trip details, Adhar card number (India's version of SSN), photo and more.
However, no brute force is necessary, as all the data can be pulled due to insufficient sanitization.
Typing into the text field for pass number at `/view-pass-detail.php` sends a POST request to `/download-pass.php` with the parameters "searchdata=<YOUR_INPUT>&search="
EXPLOIT:
By simply entering a "%" symbol, the backend interprets it as a SQL wildcard and will dump all the rail tickets in the database, with links for each to see more information and print the ticket.
The vulnerability is present in the "download-pass.php" file, with insufficient sanitization on line 60, when parsing `$sdata=$_POST['searchdata'];`
The application's source is: https://phpgurukul.com/rail-pass-management-system-using-php-and-mysql/
Thanks for reading! |
|---|
| उपयोगकर्ता | scumdestroy (UID 48934) |
|---|
| सबमिशन | 15/06/2023 01:09 PM (3 साल पहले) |
|---|
| संयम | 15/06/2023 02:12 PM (1 hour later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 231625 [PHPGurukul Rail Pass Management System 1.0 POST Request /view-pass-detail.php searchdata SQL इंजेक्शन] |
|---|
| अंक | 17 |
|---|