This is a technical writeup detailing a SQL injection vulnerability in WeBid 1.0.6, specifically in the `validate.php` and `includes/functions_fees.php` files. It explains how unsanitized POST parameters are used in an UPDATE query, allowing time-based blind injection or data extraction via embedded queries.
Classification
Writeup 90%
Target:
WeBid 1.0.6
Auth required
Prerequisites:
Access to the `validate.php` endpoint · Valid user account to view extracted data