| शीर्षक | sergomanov SmartHomeAdatum latest (2026-06, no formal release) SQL Injection |
|---|
| विवरण | Description:
SmartHomeAdatum smart home system contains unauthenticated SQL injection in
user registration and deletion (CWE-89).
File: users.php
Vuln 1 - Registration log injection:
mysqli_query($con,"INSERT INTO logs VALUES ('...".$_POST['login']."')");
$_POST['login'] directly concatenated into INSERT without sanitization.
Vuln 2 - User deletion injection:
$box_array = $_REQUEST['box'];
foreach($box_array as $value) {
mysqli_query($con,"DELETE FROM users WHERE id_user='$value'");
}
$_REQUEST['box'] values directly concatenated into DELETE without sanitization.
No authentication check on users.php. Uses deprecated mysql_* functions
alongside mysqli. MIT-licensed open source smart home platform.
Exploitation:
Registration: POST login='); DROP TABLE users; --
Delete: POST del=1&box[]=1' OR '1'='1
Countermeasure: Use prepared statements with parameter binding. CVSS 9.8. |
|---|
| स्रोत | ⚠️ https://github.com/sergomanov/SmartHomeAdatum |
|---|
| उपयोगकर्ता | Dest1ny_2 (UID 98658) |
|---|
| सबमिशन | 01/06/2026 05:54 AM (1 महीना पहले) |
|---|
| संयम | 11/07/2026 02:36 PM (1 month later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 377805 [sergomanov SmartHomeAdatum तक cf495353d81b680675eb8d9aa14a318aa45ce12c Login users.php लॉग इन करें SQL इंजेक्शन] |
|---|
| अंक | 20 |
|---|