Closed gwen001 closed 4 years ago
For that one, I recommend to cast int()
the vulnerable parameter.
Also would be great to check that the job_id
provided belong to the connected user. For now every user, even not authenticated, can retrieve all applications by looping through that number, which is basically what we call an IDOR.
Best regards.
Thank you for submitting the issue. We have typecasted the job_id as an integer as you suggested.
Great job!
Description: An issue was discovered in Simplejobscript.com SJS through 1.66. There is an unauthenticated SQL injection via the job applications search function. The vulnerable parameter is
job_id
. The function isgetJobApplicationsByJobId()
. The file is_lib/class.JobApplication.php
.Environment:
Version: 1.64 OS: Ubuntu 16.10 Web server: Apache 2.4.18 PHP: 5.6.40 Database: MySQL 5.7.28 URL:
/get_job_applications_ajax.php
Payload:job_id=493+AND+(SELECT+9069+FROM+(SELECT(SLEEP(5)))Ufmy)
Steps to Reproduce:
$ sqlmap --batch --threads=10 --dbms=mysql -u "http://local.simplejobscript.net/get_job_applications_ajax.php" --data="job_id=493" --banner
PoC: