Headline
CVE-2023-2690: CVEReport/SQL.md at main · LeozhangCA/CVEReport
A vulnerability, which was classified as critical, has been found in SourceCodester Personnel Property Equipment System 1.0. This issue affects some unknown processing of the file admin/returned_reuse_form.php of the component GET Parameter Handler. The manipulation of the argument client_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-228971.
Personnel Property Equipment System v1.0 has SQL injection
BUG_Author: LeoZhangCA
vendors: https://www.sourcecodester.com/php/11255/personel-property-equipment-system.html
Vulnerability File: /PPES/admin/returned_reuse_form.php
GET parameter “client_id” exists SQL injection vulnerability
Payload1: client_id=-1’ union all select null,null,null,null,concat(0x5152535556,0x666768),null,null,null-- -&dep_id=17&item_id=27
The UNION query is successful, and the expected string “QRSVfgh” appears, which proves that there is a SQL injection vulnerability