| Title | gopeak MasterLab ≤v3.3.10 Pre-Auth SQL Injection |
|---|
| Description | The vulnerability is identified within the sqlInjectDelete function in the app/ctrl/framework/Feature.php file of the MasterLab project. This pre-authentication SQL injection vulnerability affects versions up to and including 3.3.10. The function in question improperly concatenates the phone parameter directly into an SQL query. It appears to be a piece of legacy test code that was inadvertently left in the production code.
An attacker can exploit this vulnerability by using tools like Postman to send a crafted POST request that includes a malicious SQL statement. For instance, by inserting the sleep(5) command, the attacker can cause the database operation to delay for 5 seconds, thereby confirming the presence of an SQL injection vulnerability. This flaw allows attackers to manipulate the database without any form of authentication, which could lead to serious security implications such as data breaches, data manipulation, or even full database compromise.
It is recommended that users upgrade to a version where this vulnerability has been fixed or apply necessary patches to mitigate the risk. |
|---|
| Source | ⚠️ https://note.zhaoj.in/share/jRqEcVBTsZh4 |
|---|
| User | glzjin (UID 59815) |
|---|
| Submission | 12/27/2023 10:43 (2 years ago) |
|---|
| Moderation | 12/28/2023 09:34 (23 hours later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 249149 [gopeak MasterLab up to 3.3.10 HTTP POST Request Feature.php sqlInjectDelete phone sql injection] |
|---|
| Points | 20 |
|---|