| タイトル | Yunlin: code-projects Prison Management System 2.0 SQL Injection |
|---|
| 説明 | In the `search.php` file of the Student Information Management System, the developer directly concatenates the value received from the user-supplied `keyname` parameter into the dynamic SQL query string without performing any sanitization, validation, or parameterization. Consequently, an attacker can craft malicious `keyname` input—such as inserting meta-characters (e.g., single quotes), UNION-based payloads, Boolean-based blind clauses, time-delay functions, or stacked queries—to subvert the original SQL logic and trigger a critical SQL-injection vulnerability. Exploiting this flaw not only allows unauthorized bypassing of authentication controls but also grants the attacker the ability to read, modify, or delete sensitive student records (e.g., full names, student IDs, national identification numbers, grades, home addresses) stored in the backend database. Furthermore, by leveraging database-specific privileged functions—such as MySQL’s `LOAD_FILE()` to read system files, `INTO OUTFILE` to write web shells, or Microsoft SQL Server’s `xp_cmdshell` to execute operating-system commands—the attacker can escalate the attack from the database layer to the underlying server, ultimately obtaining full system-level privileges. Once the server is compromised, it can be used as a lateral-movement pivot to infiltrate other critical internal systems, leading to catastrophic outcomes including large-scale data breaches, service outages, defacement, ransomware deployment, and long-term persistence within the network. |
|---|
| ソース | ⚠️ https://github.com/asd1238525/cve/blob/main/SQL18.md |
|---|
| ユーザー | zakka (UID 41989) |
|---|
| 送信 | 2025年12月05日 08:23 (5 月 ago) |
|---|
| モデレーション | 2025年12月12日 16:12 (7 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 336209 [code-projects Prison Management System 2.0 /admin/search.php keyname SQLインジェクション] |
|---|
| ポイント | 20 |
|---|