dsad
This commit is contained in:
taqin
35
vuln-lab/web/www/profile.php
Normal file
35
vuln-lab/web/www/profile.php
Normal file
@@ -0,0 +1,35 @@
|
||||
<?php
|
||||
// Integer-based SQLi — no quotes, full pipeline (error/bool/union/time).
|
||||
$dbh = @new mysqli(getenv('DB_HOST') ?: 'db', 'root', getenv('DB_PASS') ?: 'toor', getenv('DB_NAME') ?: 'newploit');
|
||||
|
||||
$id = $_GET['id'] ?? '1';
|
||||
|
||||
$sql = "SELECT id, username, email, role FROM users WHERE id=$id";
|
||||
$row = null;
|
||||
$err = '';
|
||||
if ($dbh && !$dbh->connect_errno) {
|
||||
$res = @$dbh->query($sql);
|
||||
if ($res === false) {
|
||||
$err = $dbh->error;
|
||||
} else {
|
||||
$row = $res->fetch_assoc();
|
||||
}
|
||||
}
|
||||
?><!DOCTYPE html>
|
||||
<html><body>
|
||||
<h1>User profile #<?= htmlspecialchars($id) ?></h1>
|
||||
|
||||
<?php if ($err): ?>
|
||||
<pre style="color:#c00">You have an error in your SQL syntax: <?= $err ?>
|
||||
<?= htmlspecialchars($sql) ?></pre>
|
||||
<?php elseif ($row): ?>
|
||||
<p>User found:</p>
|
||||
<ul>
|
||||
<li>username: <?= htmlspecialchars($row['username'] ?? '') ?></li>
|
||||
<li>email: <?= htmlspecialchars($row['email'] ?? '') ?></li>
|
||||
<li>role: <?= htmlspecialchars($row['role'] ?? '') ?></li>
|
||||
</ul>
|
||||
<?php else: ?>
|
||||
<p>No such user.</p>
|
||||
<?php endif; ?>
|
||||
</body></html>
|
||||
Reference in New Issue
Block a user