As shown in the below example, when you enter the id_no value (with the ‘/’ prefix) into the ‘Search In’ field of the search form, it will be accepted as an input and processed by the search form. The id_no value is later used to retrieve information about the user who attempted the search. form action="search_in.php" method="get"> Search for: input type="text" name="search_in" id="search_in" value=""> /form> On the /card/in-card.php file there is a search_in form with id_no parameter. So if you enter something like this into the “Search for” form on the library card, it will show up when a user views their library card: The id_no parameter is a standard SQL “int” parameter that is accepted by many applications, including libraries. An attacker can use SQL injection to inject arbitrary SQL that would run when the library card is viewed. Example of SQL injection: In the library card, there is a form with the following code: Search for: input type="text" name="search_in" id="search_in" value="">script>alert(“Hi!”);/script>
SQL Injection on Cards.gov form action="search_in.php" method="get"> Search for: input type="text" name="search_in" id="search_in" value="">/script> On the /card/in-card.php file there is a search_in form with id_no parameter. So if you enter something like this into the “Search for” form on the library card, it will show up when a user views their library card: The id_no parameter is a standard SQL “int” parameter that is accepted by many applications, including libraries. An attacker can use SQL injection to inject arbitrary SQL that would run when the library card is viewed. Example of SQL injection: In the library card, there is a form with the following code: Search for: input type="text" name="search_in" id="search_in" value="">script>alert(“Hi!”);/script>
Timeline
Published on: 09/12/2022 00:15:00 UTC
Last modified on: 09/15/2022 03:47:00 UTC