| タイトル | SourceCodester Water Billing Management System in PHP/OOP Free Source Code 1.0 SQL Injection |
|---|
| 説明 | The Water Billing Management System is vulnerable to an Authenticated SQL Injection flaw within the administrative dashboard. An attacker with valid low-level administrative credentials can manipulate the id parameter in the user management module to execute arbitrary SQL commands. This can lead to unauthorized data disclosure, including database versioning, structural information, and sensitive user records.
The application fails to properly sanitize or parameterize the id GET parameter in the /wbms/admin/?page=user/manage_user route. The input is passed directly into a SQL query string, allowing for Union-Based SQL Injection.
While this requires the attacker to be logged into the admin panel, it represents a significant risk from "insider threats" or compromised sub-admin accounts, as it allows for vertical privilege escalation and full database extraction. |
|---|
| ソース | ⚠️ https://github.com/renzortega1337/Security-Research-/blob/main/Authenticated%20SQL%20Injection%20in%20User%20Management.md |
|---|
| ユーザー | renzortega1337 (UID 98096) |
|---|
| 送信 | 2026年05月08日 15:26 (27 日 ago) |
|---|
| モデレーション | 2026年05月31日 10:24 (23 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 367516 [SourceCodester Water Billing Management System 1.0 User Management manage_user 識別子 SQLインジェクション] |
|---|
| ポイント | 20 |
|---|