| Title | code-projects College Notes Uploading System 1.0 (Latest Official Source Code) SQL Injection |
|---|
| Description | The College Notes Uploading System developed in PHP has a critical SQL injection vulnerability in the login.php file. The login interface obtains user-controllable user and pass parameters through POST requests and directly splices them into SQL query statements.
The program incorrectly calls mysqli_real_escape_string() function but does not assign the escaped return value to variables, resulting in user input still being raw unsanitary data. Unauthenticated remote attackers can construct malicious SQL payloads to exploit this vulnerability, achieve login authentication bypass, arbitrarily query all database data, obtain user account plaintext passwords and other sensitive information, and cause serious information leakage and system security risks. |
|---|
| Source | ⚠️ https://github.com/XOB-Kongqi/SystemCng-SQL-Injection/blob/master/cng_sql.md |
|---|
| User | XOBKONGQI (UID 98315) |
|---|
| Submission | 05/16/2026 19:51 (25 days ago) |
|---|
| Moderation | 06/04/2026 07:44 (18 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 338585 [code-projects College Notes Uploading System 1.0 /login.php User sql injection] |
|---|
| Points | 0 |
|---|