SQL Injection in www.██████████

##Description: SQL Injection is a vulnerability which allows interference with the queries performed on a database, to obtain sensitive information which could be really useful to attackers. A web application database is often queried using user-requests parameters, which when are not properly sanitized can be modified injecting malicious code. In this case, the vulnerable endpoint is http://www.████████ and the vulnerable parameter is the POST rnum parameter. Respecting the program guidelines, I performed the minimal amount of testing required to prove that a vulnerability existed, but please tell me if I can bring the exploitation further to give more information. ##Reproduction steps 1 -Repeat the below requests with a interceptor proxy (for example, using Burp). ``` POST ████ HTTP/1.1 Host: www.████ Content-Length: 72 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://www.███████ Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://www.███████████ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,it-IT;q=0.8,it;q=0.7 Cookie: PHPSESSID=█████ Connection: close ███████ ``` ``` POST ██████████ HTTP/1.1 Host: www.███████ Content-Length: 72 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://www.█████ Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://www.████████████████ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,it-IT;q=0.8,it;q=0.7 Cookie: PHPSESSID=████ Connection: close █████ ``` In the first case, the record obtained from the database is the following: ``` ██████ ``` ██████ Whilst in the second case, the record obtained is: ``` ███ ``` █████ This confirms that the OFFSET clause is concatenated to the original query and there is the possibility to exploit a SQL Injection. ## Impact The vulnerability could allow an attacker to dump sensitive and personal data from the web application database (such as usernames and password hashes) or to perform authentication bypasses.