Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Time Based Blind SQL Injection in "filterType" Parameter #37
Vulnerability Name: Time Based Blind SQL Injection in "filterType" Parameter
Vulnerability Description: filterType Parameter in admin/attachments.php file suffer from the Blind SQL Injection, By using the an attacker can grab the Backend Database Information
Step1: Open the Burp Suite go to the Repeater tab copy the above Contents
Mitigation: See the OWASP SQL Injection Prevention sheet on this https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
I cannot replicate the problem testing current version on ubuntu 16.04, mysql 5.5.62 and php 7.0.33. What FA/mysql/php version did you test on? Did you find any other point where the vulnerability exists? The field is sanitized in exactly the same manner as in all other inputs in FA, so if the problem really appears on some special server configuration, it should appear in many places of FA interface.