| 제목 | code-projects Online FIR System In PHP 1.0 SQL Injection |
|---|
| 설명 | A SQL Injection vulnerability exists in the Online FIR System in PHP within the authentication functionality.
The vulnerability occurs in the login processing component located at:
/Online_FIR_System/Login/checklogin.php
The application processes user-supplied input through the email and password parameters during login. The email parameter is directly used in backend SQL queries without proper validation, sanitization, or parameterization.
Testing confirmed that the email parameter is vulnerable to time-based SQL injection, indicating that attacker-controlled SQL expressions are executed by the database engine.
By injecting a crafted payload into the email parameter, an attacker can manipulate the SQL query structure. In the provided request, a delay-based payload using the SLEEP() function was used:
[email protected]'+(select*from(select(sleep(20)))a)+'
When the request is processed, the server response is delayed by approximately 20 seconds, confirming successful SQL injection.
Because the application does not properly sanitize input or use prepared statements, it allows attackers to execute arbitrary SQL queries. |
|---|
| 원천 | ⚠️ https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/SQL%20Injection%20in%20Online%20FIR%20System%20PHP%20email%20Parameter.md |
|---|
| 사용자 | AhmadMarzouk (UID 95993) |
|---|
| 제출 | 2026. 03. 23. PM 06:21 (16 날 ago) |
|---|
| 모더레이션 | 2026. 04. 06. AM 10:09 (14 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 355488 [code-projects Online FIR System 1.0 Login /Login/checklogin.php email/password SQL 주입] |
|---|
| 포인트들 | 20 |
|---|