| タイトル | code-projects Inventory Management 1.0 SQL Injection |
|---|
| 説明 | Vulnerability Description:
An Authenticated SQL Injection vulnerability was discovered in the Inventory Management Web Application, specifically in the editProduct.php page. The vulnerability occurs due to improper handling of user-controlled input in the id parameter passed through the URL (GET method).
This vulnerability allows authenticated attackers to inject arbitrary SQL queries through the id parameter. The attacker can manipulate the URL, crafting an injection to trigger a time-based SQL injection (using sleep function) and potentially extract sensitive information from the database.
Vulnerable Code Section:
if(isset($_GET['id'])){
$id= $_GET['id'];
$sql= "SELECT * from products WHERE id='$id' limit 1";
$res= mysqli_fetch_assoc($conn->query($sql));
}
Proof of Concept (PoC):
Location: http://localhost/Inventory-Management/model/editProduct.php?id=12%27XOR(if(now()=sysdate(),sleep(5),0))XOR%27Z
Payload: 12' XOR(if(now()=sysdate(),sleep(5),0)) XOR 'Z
Exploit: An attacker can trigger the SQL injection by injecting the payload into the id parameter, which results in a delay in the response if the payload is successful. This confirms that the server is vulnerable to time-based SQL injection.
Check out full advisory please. |
|---|
| ソース | ⚠️ https://github.com/sh3rl0ckpggp/0day/blob/main/inventory-management_authenticated_sqli.md |
|---|
| ユーザー | sh3rl0ckpgp (UID 77534) |
|---|
| 送信 | 2024年11月13日 11:38 (2 年 ago) |
|---|
| モデレーション | 2024年11月15日 09:47 (2 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 284686 [code-projects Inventory Management 迄 1.0 /model/editProduct.php 識別子 SQLインジェクション] |
|---|
| ポイント | 20 |
|---|