| 제목 | SourceCodester Online-Funding-Management-System-PHP-Project 1.0 SQL Injection |
|---|
| 설명 | A critical SQL injection vulnerability exists in the Online Funding Management System (v1.0) within the members/fundDetails.php page. The m06 GET parameter is susceptible to time-based blind SQL injection due to insufficient input sanitization, enabling attackers to inject malicious SQL code and enumerate database information, such as schema and table counts. The provided payload exploits MySQL’s SLEEP() function to induce a measurable response delay, confirming the vulnerability. This flaw risks unauthorized access to sensitive data, including user credentials and financial records.
Vulnerability Details
Type: SQL Injection
Severity: Critical
Affected Component: members/fundDetails.php
Affected URL: http://localhost/management_system/members/fundDetails.php?m06=test'%20AND%20IF((SELECT%20COUNT(*)%20FROM%20information_schema.tables%20WHERE%20table_schema=DATABASE())%20%3E%2010,%20SLEEP(5),%200)%20AND%20'abc'%3D'abc
Vulnerable Parameter: m06 |
|---|
| 원천 | ⚠️ https://gist.github.com/0xCaptainFahim/86a679533ca293c98be5ab91b76b213f |
|---|
| 사용자 | 0xCaptainFahim (UID 86447) |
|---|
| 제출 | 2025. 06. 11. AM 11:15 (10 개월 ago) |
|---|
| 모더레이션 | 2025. 06. 19. PM 12:49 (8 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 313341 [SourceCodester Advance Charity Management System 1.0 /members/fundDetails.php m06 SQL 주입] |
|---|
| 포인트들 | 20 |
|---|