| शीर्षक | code-projects Blood Bank Management System 1.0 SQL Injection |
|---|
| विवरण | A SQL Injection vulnerability has been identified in the BloodBank Management System version 1.0, specifically in the cancel request functionality. This flaw arises from a lack of proper input sanitization on the reqid parameter, enabling malicious users to inject SQL commands into the query handling cancellation requests.
The vulnerability allows for a time-based blind SQL injection attack. In this scenario, an attacker injects code that makes the system execute time-intensive SQL operations, such as using the BENCHMARK function, to delay the response. If the request is valid, the system delays by a predefined amount of time, confirming that the injection worked. This technique can lead to:
Exfiltration of sensitive data over time.
Denial of Service (DoS) by slowing down the system.
Tampering with blood request statuses, including unauthorized cancellations.
|
|---|
| स्रोत | ⚠️ https://gist.github.com/higordiego/18cf04067697c8ceb2cba68980139dcc |
|---|
| उपयोगकर्ता | c4ttr4ck (UID 75518) |
|---|
| सबमिशन | 25/10/2024 09:53 PM (2 साल पहले) |
|---|
| संयम | 26/10/2024 03:43 PM (18 hours later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 281957 [code-projects Blood Bank Management System 1.0 /file/cancel.php reqid SQL इंजेक्शन] |
|---|
| अंक | 20 |
|---|