| 제목 | code-projects Human Resource Integrated System published August 1, 2025 SQL Injection |
|---|
| 설명 | Summary
The vulnerability exists in the insert-and-view component due to improper handling and validation of user input in SQL queries.
Root Cause
The application uses outdated mysql_* functions (mysql_query) in action.php without fully sanitizing or parameterizing user input. Specifically, the inputs obtained via $_POST['content'] are directly embedded into SQL queries.
Example code snippet:
$content = mysql_real_escape_string($_POST['content']);
mysql_query("insert into comment(msg,ip_add) values ('$content','$ip')");
Although mysql_real_escape_string mitigates basic SQL injection, it does not prevent more complex injection scenarios or second-order SQL injection attacks.
Reproduction
Navigate to the application's comment submission form.
Submit the following payload:
'); DROP TABLE comment; --
Observe that the injected SQL query alters the intended database operations.
Impact
An attacker could leverage this vulnerability to manipulate the database, execute arbitrary SQL commands, access sensitive data, or disrupt database integrity. |
|---|
| 원천 | ⚠️ https://github.com/shenxianyuguitian/hris-vuln-sqli/blob/main/README.md |
|---|
| 사용자 | xuanyuesanshi (UID 88126) |
|---|
| 제출 | 2025. 08. 01. AM 08:08 (9 개월 ago) |
|---|
| 모더레이션 | 2025. 08. 02. AM 08:54 (1 day later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 318599 [code-projects Human Resource Integrated System 1.0 action.php content SQL 주입] |
|---|
| 포인트들 | 20 |
|---|