| 제목 | SQL injection vulnerability in student information system |
|---|
| 설명 | SQL injection vulnerability exists in student information system. When viewing the student information, the query content input by the user is not checked. The input content is controllable by the user. The user can construct a malicious payload to attack the website.
Vulnerability file location: / admin / students / view_ student.php
look at this source code
```
if(isset($_GET['id'])){
$qry = $conn->query("SELECT *, CONCAT(lastname,', ', firstname,' ', middlename) as fullname FROM `student_list` where id = '{$_GET['id']}'");
```
The $ID is not protected here. Malicious data can be constructed here to attack the website database.
The construction statement is as follows
```
? page=students/view_ student&id=0' union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 --+
```
https://s1.ax1x.com/2022/08/11/vGcdBt.png
Source link
https://www.sourcecodester.com/php/15147/simple-student-information-system-phpoop-free-source-code.html |
|---|
| 원천 | ⚠️ https://www.sourcecodester.com/php/15147/simple-student-information-system-phpoop-free-source-code.html |
|---|
| 사용자 | qidian (UID 30810) |
|---|
| 제출 | 2022. 08. 12. AM 12:48 (4 연령 ago) |
|---|
| 모더레이션 | 2022. 08. 12. AM 11:13 (10 hours later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 206245 [SourceCodester Student Information System view_student.php 아이디 SQL 주입] |
|---|
| 포인트들 | 20 |
|---|