Money Transfer Management System 1.0 - SQL Injection

Summary

NameMoney Transfer Management System - SQL Injection
Code nameJagger
ProductMoney Transfer Management System 1.0
Affected versionsVersion 1.0
StatePublic
Release date2022-03-15

Vulnerability

KindSQL injection
Rule146. SQL injection
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSSv3 Base Score4.3
Exploit availableNo
CVE ID(s)CVE-2022-25223

Description

Money Transfer Management System Version 1.0 allows an authenticated user to inject SQL queries in mtms/admin/?page=transaction/view_details via the id parameter.

Proof of Concept

Steps to reproduce

  1. Log in to the application as a normal user.
  2. Go to http://127.0.0.1/mtms/admin/?page=transaction/view_details&id=1
  3. Insert the following query inside the id parameter.
id=a' union select 1,user(),2,4,5,6,7,8,9,10-- -
  1. The current database user will be shown inside the Tracking Code field.

System Information

  • Version: Money Transfer Management System version 1.0.
  • Operating System: Linux.
  • Web Server: Apache
  • PHP Version: 7.4
  • Database and version: MySQL

Exploit

There is no exploit for the vulnerability but can be manually exploited.

Mitigation

By 2022-03-15 there is not a patch resolving the issue.

Credits

The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.

References

Vendor page https://www.sourcecodester.com/php/15015/money-transfer-management-system-send-money-businesses-php-free-source-code.html

Timeline

Time-lapse-logo

2022-02-15

Vulnerability discovered.

Time-lapse-logo

2022-02-15

Vendor contacted.

Time-lapse-logo

2022-03-15

Public Disclosure.