提出 #43467: Gas Agency Management System have Vulnerability情報

タイトルGas Agency Management System have Vulnerability
説明In the login interface of this CMS, the parameters are not escaped, and no protection measures are set, which leads to SQL injection. The attacker can log in to the background through the universal password. The file location is gasmark/login.php, part of the source code is as follows ``` if($_POST) { $username = $_POST['username']; $password = $_POST['password']; //echo $password;exit; if(empty($username) || empty($password)) { if($username == "") { $errors[] = "Username is required"; } if($password == "") { $errors[] = "Password is required"; } } else { $sql = "SELECT * FROM users WHERE username = '$username'"; $result = $connect->query($sql); ``` When we use the following payload, we can bypass the login verification and go directly to the postscript ``` username: 1' or 1=1# password: 1 ``` https://img-blog.csdnimg.cn/e1f59036a87b46529b2403445caf85c2.png https://img-blog.csdnimg.cn/3232cb47c9ac418e983f6b7145bcf4d7.png source link https://www.sourcecodester.com/php/15586/gas-agency-management-system-project-php-free-download-source-code.html
ソース⚠️ https://www.sourcecodester.com/visual-basic-net/15538/college-attendance-system-cas.html
ユーザー
 quan9i (UID 30726)
送信2022年08月11日 16:25 (4 年 ago)
モデレーション2022年08月12日 12:51 (20 hours later)
ステータス承諾済み
VulDBエントリ206248 [SourceCodester Gas Agency Management System gasmark/login.php ユーザー名 SQLインジェクション]
ポイント20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!