New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[security] CVE-2020-7229, SQL injection in search function #7
Comments
|
Hi, how can we test this vulnerability live at website when searching? (not from command line tool or some website scans) Let me know so we can look more closely into this. Thank you for reporting. |
|
Use the following POST datas on your demo homepage Datas: landing_title=aaa&landing_location=77+or+(select+(sleep(1)))%23 You'll get a blank page which is enough to prove there is something wrong. |
|
Hello, could you please try and open "controllers/page_landing_searched.php" and add: escape($_POST); the bolded text? Or pull the latest commit. To see if this helps prevent the SQL injection. Maros |
|
Sorry, but that fix doesn't work because there is nothing to escape in the evil query, no single/doubles quotes. However since It works pretty well. To test all of this I strongly recommend to try Sqlmap |
|
Hello and thank you for your help! I have make the change and typecasted it to integer. I assume the issue can be closed now. Do let us know if this needs more attention and |

Description: An issue was discovered in Simplejobscript.com SJS before 1.65. There is
unauthenticated SQL injection via the search engine. The parameter is
landing_location. The function iscountSearchedJobs(). The file is_lib/class.Job.php.Environment:
Payload:
landing_title=aaa&landing_location=77+or+(select+(sleep(2)))Steps to Reproduce:
$ sqlmap --threads=10 --batch --dbms=mysql -u "http://local.simplejobscript.net/searched" --data="landing_title=aaa&landing_location=77" -p landing_location --bannerPoC:

The text was updated successfully, but these errors were encountered: