Source code
vulnerability
report

Hacker AI is powered by AckViz team



Analysis of project_name

Automated systems can produce false negatives; manual analysis by a cybersecurity expert is vital for distinguishing false negatives, especially in business-sensitive contexts. Click here to arrange a brief meeting with a specialist who can assist you in these tasks and perform a more in-depth static and dynamic analysis. Join our Discord server to get in touch with our team.
2023-03-22T07:23:46.298854 image/svg+xml Matplotlib v3.7.1, https://matplotlib.org/ 2023-03-22T07:23:46.403651 image/svg+xml Matplotlib v3.7.1, https://matplotlib.org/


SQL注入 -> Unnamed DVWA-master/dvwa/includes/DBMS/MySQL.php:21 

$drop_db = "DROP DATABASE IF EXISTS {$_DVWA[ 'db_database' ]};";
if( !@mysqli_query($GLOBALS["___mysqli_ston"],  $drop_db ) ) {
	dvwaMessagePush( "Could not drop existing database<br />SQL: " . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) );
	dvwaPageReload();
}
$create_db = "CREATE DATABASE {$_DVWA[ 'db_database' ]};";
if( !@mysqli_query($GLOBALS["___mysqli_ston"],  $create_db ) ) {
	dvwaMessagePush( "Could not create database<br />SQL: " . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) );
	dvwaPageReload();
}
dvwaMessagePush( "Database has been created." );
SQL注入
CWE ID CWE-89
Description 代码中存在一个严重的SQL注入漏洞,攻击者可以利用这个漏洞执行恶意SQL命令。
Remediation 使用参数化查询或预编译语句来防止SQL注入。
SQL注入 -> Unnamed DVWA-master/dvwa/includes/DBMS/MySQL.php:50 

$base_dir= str_replace ("setup.php", "", $_SERVER['SCRIPT_NAME']);
$avatarUrl  = $base_dir . 'hackable/users/';
$insert = "INSERT INTO users VALUES
	('1','admin','admin','admin',MD5('password'),'{$avatarUrl}admin.jpg', NOW(), '0'),
	('2','Gordon','Brown','gordonb',MD5('abc123'),'{$avatarUrl}gordonb.jpg', NOW(), '0'),
	('3','Hack','Me','1337',MD5('charley'),'{$avatarUrl}1337.jpg', NOW(), '0'),
	('4','Pablo','Picasso','pablo',MD5('letmein'),'{$avatarUrl}pablo.jpg', NOW(), '0'),
	('5','Bob','Smith','smithy',MD5('password'),'{$avatarUrl}smithy.jpg', NOW(), '0');";
if( !mysqli_query($GLOBALS["___mysqli_ston"],  $insert ) ) {
	dvwaMessagePush( "Data could not be inserted into 'users' table<br />SQL: " . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) );
	dvwaPageReload();
}
dvwaMessagePush( "Data inserted into 'users' table." );
SQL注入
CWE ID CWE-89
Description 代码中存在一个严重的SQL注入漏洞,攻击者可以利用这个漏洞执行恶意的SQL查询,从而窃取、篡改或删除数据库中的数据。
Remediation 使用参数化查询或预编译语句来防止SQL注入攻击。避免使用字符串拼接来构建SQL查询。