When id is manually set, an attacker can inject and execute SQL commands to gain full control over the database and extract information. In order to exploit this vulnerability, an attacker must carefully construct a request with id set to a specific value.
An attacker may leverage common login redirection methods such as sitemaps or search engines to direct users to edit.php when they input a critical piece of information. When a user is redirected to edit.php, an attacker can exploit this vulnerability by setting the id parameter to a specific value.
In the following example an attacker has redirected a user to edit.php with id set to the value “bob”. The user has input “bob’s password” into the id input. When a user is redirected to edit.php, an attacker can exploit this vulnerability by setting the id parameter to “bob”.
form action="http://[SITE ADDRESS]/garage/editorder.php" method="POST">
input type="hidden" name="id" value="bob">
input type="password" name="password" value="password">
input type="submit" value="Submit">
/form>
It is important to note that the id value must be manually set in order to exploit this vulnerability. An attacker cannot simply redirect a user to edit.php and have that user
Example of an authenticated request id=bob
In the following example an attacker has redirected a user to edit.php with id set to the value “bob”. The user has input “bob’s password” into the id input. When a user is redirected to edit.php, an attacker can exploit this vulnerability by setting the id parameter to “bob”.
form action="http://[SITE ADDRESS]/garage/editorder.php" method="POST">
input type="hidden" name="id" value="bob">
input type="password" name="password" value="password">
input type="submit" value="Submit">
/form>
SQL Injection
SQL Injection is a vulnerability that allows hackers to inject arbitrary SQL code into web pages and manipulate the database. The most common way to exploit this vulnerability is by crafting input fields that can cause the system to run an exploitable command on its own.
The following example shows how a hacker would craft input fields in order to exploit the vulnerability. This particular example has two inputs, one with the name “title” and another with the name “text”. When clicking on these inputs, they will cause their respective values (title and text) to be executed by the system which could lead to an exploitable command being invoked.
form action="http://[SITE ADDRESS]/garage/editorder.php" method="POST">
input type="hidden" name="id" value="bob">
input type="hidden" name="title" value='1 DEALER'>
File Upload Vulnerabilities
File upload vulnerabilities are an important part of the overall web application vulnerabilities that exist. They occur when a vulnerable application provides an upload form with an input type="file" option, where users don’t need to enter a filename or folder name into the input field if they don’t want to. This makes it possible for the user to save any kind of file and attach it to their profile. (i.e., a .htaccess file)
How to test for id Parameter
1. Go to your website and create a login form that redirects the user to edit.php with the id parameter set to 'bob'.
2. Try entering the name "bob" in the id input field and clicking submit.
Timeline
Published on: 11/02/2022 16:15:00 UTC
Last modified on: 11/03/2022 03:35:00 UTC