| Название | SQL Injection Found in Phpgurukul's "Rail Pass Management System Project in PHP" v 1.0 |
|---|
| Описание | In version 1,0 of Phpgurukul's "Rail Pass Management System Project in PHP", there is a unauthenticated SQL injection vulnerability present.
On the `/view-pass-detail.php` endpoint, there is a functionality to view and print your rail pass by entering it into the search box.
The pass number is a nine-digit number that must be entered exactly for your pass to appear. After entering the correct number, you are given access to the pass owner's full name, e-mail address, trip details, Adhar card number (India's version of SSN), photo and more.
However, no brute force is necessary, as all the data can be pulled due to insufficient sanitization.
Typing into the text field for pass number at `/view-pass-detail.php` sends a POST request to `/download-pass.php` with the parameters "searchdata=<YOUR_INPUT>&search="
EXPLOIT:
By simply entering a "%" symbol, the backend interprets it as a SQL wildcard and will dump all the rail tickets in the database, with links for each to see more information and print the ticket.
The vulnerability is present in the "download-pass.php" file, with insufficient sanitization on line 60, when parsing `$sdata=$_POST['searchdata'];`
The application's source is: https://phpgurukul.com/rail-pass-management-system-using-php-and-mysql/
Thanks for reading! |
|---|
| Пользователь | scumdestroy (UID 48934) |
|---|
| Представление | 15.06.2023 13:09 (3 лет назад) |
|---|
| Модерация | 15.06.2023 14:12 (1 hour later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 231625 [PHPGurukul Rail Pass Management System 1.0 POST Request /view-pass-detail.php searchdata SQL-инъекция] |
|---|
| Баллы | 17 |
|---|