Online Veterinary Appointment System 1.0 - ‘Multiple’ SQL Injection
Information about vulnerability
- Exploit Title: Online Veterinary Appointment System 1.0 - 'Multiple' SQL Injection
- Date: 05/01/20222
- Exploit Author: twseptian
- Vendor Homepage: https://www.sourcecodester.com/php/15119/online-veterinary-appointment-system-using-phpoop-free-source-code.html
- Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/ovas.zip
- Version: v1.0
- Tested on: Kali Linux 2021.4
- Exploit-DB: https://www.exploit-db.com/exploits/50644
SQL Injection
SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Online Veterinary Appointment System 1.0 is vulnerable to ‘Multiple’ SQL injections.
Attack Vector
An attacker can compromise the database of the application using some automated(or manual) tools like SQLmap.
- Appointment Requests - Vulnerable Parameter(s):
idSteps of reproduce:- Step-1: On the dashboard navigate to ‘Appointment Requests’ page using the following URL:
http://localhost/ovas/admin/?page=appointments, then go to ‘Action’ > ‘View’. - Step-2: Put the SQL Injection payloads in ‘id’ field. time-based blind payload :
page=appointments/view_details&id=1' AND (SELECT 2197 FROM (SELECT(SLEEP(5)))DZwi) AND 'mQQq'='mQQq - Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.
- Step-1: On the dashboard navigate to ‘Appointment Requests’ page using the following URL:
Read more here