| tiêu đề | code-projects Employee Management System in PHP 1.0 SQL Injection |
|---|
| Mô tả | The Employee Management System in PHP v1.0 is vulnerable to a SQL Injection vulnerability in the authentication functionality.
The vulnerability exists in the following endpoint:
/370project/process/eprocess.php
The application processes login requests using the mailuid and pwd parameters supplied via an HTTP POST request. The mailuid parameter is directly incorporated into backend SQL queries without proper validation, sanitization, or parameterized query handling.
Because the application fails to neutralize special SQL characters, attackers can inject malicious SQL code into the login request. This allows manipulation of the SQL query structure and execution of arbitrary SQL commands.
During testing, a time-based SQL injection payload was successfully executed:
'+(select*from(select(sleep(20)))a)+'
When this payload is submitted, the server response is delayed by approximately 20 seconds, confirming that the injected SQL query is executed by the database.
This demonstrates a time-based blind SQL injection vulnerability in the authentication mechanism. |
|---|
| Nguồn | ⚠️ https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/SQL%20Injection%20in%20Employee%20Management%20System%20PHP%20mailuid%20Parameter.md |
|---|
| Người dùng | AhmadMarzouk (UID 95993) |
|---|
| Đệ trình | 07/04/2026 10:39 (cách đây 20 ngày) |
|---|
| Kiểm duyệt | 26/04/2026 09:08 (19 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 359638 [code-projects Employee Management System 1.0 Endpoint eprocess.php pwd Tiêm SQL] |
|---|
| điểm | 20 |
|---|