| Title | SourceCodester Simple Forum Website 1.0 SQL Injection |
|---|
| Description | SQL Injection vulnerability was discovered in Sourcecodester's Sentiment Based Movie Success Rating Prediction System (user registration)
Official Website: https://www.sourcecodester.com/php/15104/sentiment-based-movie-rating-system-using-phpoop-free-source-code.html
Version: 1.0
Related Code file: /msrps/classes/Users.php
The email variable is directly inserted into the SQL query without any escaping or parameterization. An attacker could inject malicious SQL code by manipulating the email field. in (line number 135 of Users.php)
Injection parameter: email
Step to Reproduce:
1. Install and Setup the Movie Rating Application
2. click of Login
3. Click on Create a New Account Option
4. Fill the form and intercept the POST request in burp and copy the request
5. Store this request in a .txt file eg: register_req.txt
6. Run sqlmap
`sqlmap -r register_req.txt -p email`
Observe the SQL injection |
|---|
| Source | ⚠️ https://github.com/gurudattch/CVEs/blob/main/Sourcecodester-SQLi-Sentiment-Based-Moive-Rating.md |
|---|
| User | guru (UID 74056) |
|---|
| Submission | 08/29/2024 11:50 (2 years ago) |
|---|
| Moderation | 08/30/2024 09:50 (22 hours later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 276222 [SourceCodester Sentiment Based Movie Rating System 1.0 User Registration Users.php?f=save_client email sql injection] |
|---|
| Points | 20 |
|---|