| 제목 | SourceCodester Simple Forum Website 1.0 SQL Injection |
|---|
| 설명 | SQL Injection vulnerability was discovered in Sourcecodester's Sentiment Based Movie Success Rating Prediction System (user registration)
Official Website: https://www.sourcecodester.com/php/15104/sentiment-based-movie-rating-system-using-phpoop-free-source-code.html
Version: 1.0
Related Code file: /msrps/classes/Users.php
The email variable is directly inserted into the SQL query without any escaping or parameterization. An attacker could inject malicious SQL code by manipulating the email field. in (line number 135 of Users.php)
Injection parameter: email
Step to Reproduce:
1. Install and Setup the Movie Rating Application
2. click of Login
3. Click on Create a New Account Option
4. Fill the form and intercept the POST request in burp and copy the request
5. Store this request in a .txt file eg: register_req.txt
6. Run sqlmap
`sqlmap -r register_req.txt -p email`
Observe the SQL injection |
|---|
| 원천 | ⚠️ https://github.com/gurudattch/CVEs/blob/main/Sourcecodester-SQLi-Sentiment-Based-Moive-Rating.md |
|---|
| 사용자 | guru (UID 74056) |
|---|
| 제출 | 2024. 08. 29. AM 11:50 (2 연령 ago) |
|---|
| 모더레이션 | 2024. 08. 30. AM 09:50 (22 hours later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 276222 [SourceCodester Sentiment Based Movie Rating System 1.0 User Registration Users.php?f=save_client email SQL 주입] |
|---|
| 포인트들 | 20 |
|---|