| Title | SQL injection vulnerability in Sports Club Management System |
|---|
| Description | Enter admin1/admin1 to enter the background,Click payment, and then add payment。Enter MEMBERSHIP ID,MEMBERSHIP ID is the SQL injection parameter。In admin/make_ Payments.php, at line 119, the information entered by the user is submitted to submit_ Payments.php, follow up the code, and we can see that the m entered by the user_ The ID is assigned to $memID. Without any filtering, it is directly inserted into the database for query, and the query results are returned, causing SQL injection vulnerabilities。The SQL injection vulnerability is due to the data submitted by the user, which is directly brought into the database without filtering and executed SQL statements,SQL injection vulnerability can obtain database sensitive information。 |
|---|
| Source | ⚠️ https://github.com/shreyansh225/Sports-Club-Management-System/issues/6 |
|---|
| User | ace. (UID 34853) |
|---|
| Submission | 11/16/2022 08:18 (4 years ago) |
|---|
| Moderation | 11/16/2022 08:55 (37 minutes later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 213789 [Sports Club Management System 119 admin/make_payments.php m_id/plan sql injection] |
|---|
| Points | 20 |
|---|