Headline
CVE-2023-2677: cve/SQL.md at main · BacteriaJun/cve
A vulnerability, which was classified as critical, was found in SourceCodester Covid-19 Contact Tracing System 1.0. This affects an unknown part of the file admin/establishment/manage.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-228891.
Covid-19 Contact Tracing System v1.0 has SQL injection
BUG_Author: TangJun
vendors: https://www.sourcecodester.com/php/14728/covid-19-contact-tracing-system-web-app-qr-code-scanning-using-php-source-code.html
Vulnerability url: /cts_qr/admin/establishment/manage.php?id.
Payload: id=-3 union all select null,null,concat(0x66676869,0x3536373839),null,null,null,null-- -
The union query succeeds, proving that SQL injection vulnerability exists