Description: An issue was discovered in Simplejobscript.com SJS before 1.65. There is
unauthenticated SQL injection via the search engine. The parameter is landing_location. The function is countSearchedJobs(). The file is _lib/class.Job.php.
how can we test this vulnerability live at website when searching? (not from command line tool or some website scans)
We have run the tests and tried to input SQL queries which have been successfully escaped when processed.
Let me know so we can look more closely into this.
the bolded text? Or pull the latest commit. To see if this helps prevent the SQL injection.
The location is a selectbox where input cannot be entered so I suspect this SQL would possible be pushed into website only be experienced user from a command line request.
Sorry, but that fix doesn't work because there is nothing to escape in the evil query, no single/doubles quotes. However since $landing_location is supposed to be an integer, I would prefer the use of a cast:
$landing_location = (int)$landing_location;
It works pretty well.
To test all of this I strongly recommend to try Sqlmap
You will see how easy it is to dump the whole database with that tool.