-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathDvwa_CVE-2023-39848
14 lines (11 loc) · 1.05 KB
/
Dvwa_CVE-2023-39848
1
2
3
4
5
6
7
8
9
10
11
12
13
14
DVWA v1.0(https://github.com/digininja/DVWA) was discovered to contain a SQL injection vulnerability (CVE-2023-39848) via the id parameter at blind\source\high.php.
It may lead to a second-order SQL injection.
5. $id = $_COOKIE[ 'id' ];
6.
7. // Check database
8. $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
9. $result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed
When a user stores malicious input in the cookie, the variable $id receives the value of $_COOKIE['id'] and is directly passed into the $query,
resulting in the risk of data loss and unauthorized access. For example, if an attacker hijacked the cookie and stores a malicious value "12 or 1=1 #" in the cookie.
Once the above code is triggered, the generated SQL statement becomes "SELECT first_name, last_name FROM users WHERE user_id = 12 or 1=1 # LIMIT 1",
where # acts as a comment symbol, causing the subsequent statements to not be executed, and "or 1=1" becomes a constant true condition, leading to data leakage from the users table.