SQL Injection is the act of inputting raw SQL queries inside code that executes it in order to extract or modify the underlying database.
Located
Login.php at line 140
HTTP request type
Post
Vunerable parameter / behaviour
The following SQL Query executes raw SQL
$sql = "SELECT * FROM sapusers WHERE user_uid = '" .$uid. "' and user_pwd ='" .$pwd. "'";
Payload / actions for reproduction
Enter the following query into the login form
admin' AND (select sleep(10) from sapusers where user_pwd like 'p%');--
If the query is slow to return, we know that there is at least one password that begins with the letter p,
We can repeat this process for every letter and number between a-z & 1-9, any which did not return a slowdown, we can discard as they don't exist, then we do the same for the second element of the password, and repeat this as we go on, each slower password revealing to us more information about them.
If the passwords were in plaintext, the database should now have leaked details OR if hashed without salts, you can try use them as a rainbow table.
Code fix
Use prepared statements to parameterize the SQL query
$sql = "SELECT * FROM sapusers WHERE user_uid = ? AND user_pwd = ?";
$stmt = $conn->prepare($sql);
$stmt->bind_param("ss", $uid, $pwd);
$stmt->execute();
$result = $stmt->get_result();
Vulnerability
SQL Injection
Description
SQL Injection is the act of inputting raw SQL queries inside code that executes it in order to extract or modify the underlying database.
Located
Login.php at line 140
HTTP request type
Post
Vunerable parameter / behaviour
The following SQL Query executes raw SQL
Payload / actions for reproduction
admin' AND (select sleep(10) from sapusers where user_pwd like 'p%');--
If the passwords were in plaintext, the database should now have leaked details OR if hashed without salts, you can try use them as a rainbow table.
Code fix
Use prepared statements to parameterize the SQL query